SECURITY AUDIT REPORT

orbit_solguard

Professional Security Assessment
Report ID ORBIT_SOLGUARD-1770524881411
Generated February 8, 2026 at 12:28 PM GMT+8
Version 2.0.0
Standards OWASP, NIST, CWE, CVSS

Executive Summary

0
Security Health Score
Poor - Significant security remediation required
407
Critical Issues
Immediate action required
53
High Priority
Fix within 24-48 hours
294
Medium Priority
Address within 1 week
554
Low Priority
Address as time permits

Assessment Overview

This comprehensive security audit analyzed 130 files comprising 130 lines of code. The assessment identified 1308 security issues across 128 files, with 2 files passing all security checks.

CRITICAL FINDING: 407 critical security issues require immediate remediation to prevent potential system compromise.
HIGH PRIORITY: 53 high-severity issues should be addressed within the next 24-48 hours.

Risk Assessment Matrix

Critical
407
31.1%
High
53
4.1%
Medium
294
22.5%
Low
554
42.4%

Compliance & Standards

OWASP Top 10
Non-Compliant
OWASP A01:2021
NIST 800-53
Compliant
PCI-DSS
Non-Compliant
PCI-DSS 6.5.8
GDPR
Compliant

Detailed Security Findings (1308)

LOW Insufficient Test Coverage CVSS 2 CWE-754
Test file lacks edge case testing for PDA derivation boundary conditions
test/pda.test.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Test Quality Issue CVSS 1 CWE-1164
Custom assert function does not provide stack traces or detailed error context
test/pda.test.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
test/pda.test.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 3.1 CWE-190
Potential integer overflow in writeU128LE when handling very large bigint values
test/slab.test.ts:161 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 3.1 CWE-190
Signed to unsigned conversion in writeI128LE may produce unexpected results for edge cases
test/slab.test.ts:168 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Buffer Overflow CVSS 3.3 CWE-787
No bounds checking on buffer offset in writeU128LE could cause buffer overrun
test/slab.test.ts:164 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2 CWE-330
Test file uses hardcoded magic numbers and predictable test data
test/slab.test.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2 CWE-200
Test file contains hardcoded cryptographic identifiers that could leak implementation details
test/abi.test.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Test Coverage CVSS 2.5 CWE-190
Integer encoding functions lack boundary/overflow test cases for security-critical values
test/abi.test.ts:60 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Input Validation Test CVSS 3 CWE-20
Instruction encoders are not tested with malformed or malicious inputs
test/abi.test.ts:140 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.1 CWE-209
Error messages may expose internal implementation details through exception propagation
test/validation.test.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Test Values CVSS 1.5 CWE-798
Test uses hardcoded public keys that appear to be real addresses (system program and potentially real key)
test/validation.test.ts:38 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Test Values CVSS 2 CWE-1188
Hardcoded test values for collateral amounts could mask edge case vulnerabilities if not comprehensive
tests/t4-trading.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 2.5 CWE-223
Error messages are truncated which may hide important security-relevant error details
tests/t4-trading.ts:32 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Negative Testing CVSS 4 CWE-754
Test suite lacks comprehensive negative security testing for trading operations
tests/t4-trading.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Invariant Checks CVSS 4.5 CWE-754
Invariant checks are only performed in one test case, not consistently across all trading operations
tests/t4-trading.ts:97 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unhandled Promise Rejection CVSS 2 CWE-755
Top-level promise rejection only logs to console without proper error handling
tests/t4-trading.ts:145 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT4Tests' is never imported
tests/t4-trading.ts:152 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-532
Verbose error logging may expose sensitive internal state information
tests/invariants.ts:345 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.3 CWE-190
BigInt comparison against hardcoded threshold may not catch all overflow scenarios
tests/invariants.ts:266 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 4.3 CWE-362
Non-atomic state snapshot between getAccountInfo and getSlot calls may result in inconsistent data
tests/invariants.ts:57 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Improper Input Validation CVSS 3.7 CWE-20
Tolerance threshold of 200,000 (0.2 USDC) for collateral conservation is hardcoded without documentation
tests/invariants.ts:195 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.1 CWE-755
Error handling for vault fetch failure provides detailed error message that could be exploited
tests/invariants.ts:202 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'PublicKey' is imported but never used
tests/invariants.ts:11 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Dead Code
Export 'InvariantResult' is never imported
tests/invariants.ts:34 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'InvariantReport' is never imported
tests/invariants.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'InvariantChecker' is never imported
tests/invariants.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'printInvariantReport' is never imported
tests/invariants.ts:413 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Credentials Path CVSS 7.5 CWE-798
Hardcoded path to Solana keypair file containing private key material
tests/t22-devnet-stress.ts:70 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Sensitive File Read CVSS 7.2 CWE-522
Reading private key from filesystem without validation or encryption
tests/t22-devnet-stress.ts:71 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Price values passed to encodePushOraclePrice are not validated for reasonable bounds
tests/t22-devnet-stress.ts:139 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Timestamp Manipulation CVSS 5 CWE-367
Timestamp derived from local system clock can be manipulated
tests/t22-devnet-stress.ts:140 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.7 CWE-209
Error messages are logged which may contain sensitive transaction or account information
tests/t22-devnet-stress.ts:106 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Rate Limiting CVSS 3.1 CWE-770
Fixed sleep delays between transactions may not be sufficient for production rate limiting
tests/t22-devnet-stress.ts:109 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Default Rpc CVSS 2.5 CWE-319
Default RPC endpoint is public devnet which may have rate limits and no authentication
tests/t22-devnet-stress.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Large deposit test uses hardcoded value without validating system constraints
tests/t3-capital.ts:209 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: API Layer
LOW Error Handling Weakness CVSS 3.7 CWE-755
Silently accepting withdrawal failures due to oracle state masks potential security issues
tests/t3-capital.ts:104 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: API Layer
LOW Race Condition Potential CVSS 3.1 CWE-362
Multiple async operations without explicit ordering guarantees in conservation test
tests/t3-capital.ts:133 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: API Layer
LOW Incomplete Test Coverage CVSS 2.5 CWE-754
Zero deposit test doesn't verify rejection behavior, only checks balance unchanged
tests/t3-capital.ts:184 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: API Layer
LOW Missing Negative Test CVSS 2 CWE-754
Test suite lacks negative test cases for withdrawal beyond available margin
tests/t3-capital.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: API Layer
LOW Unused Import
'printInvariantReport' is imported but never used
tests/t3-capital.ts:11 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: API Layer
LOW Dead Code
Export 'runT3Tests' is never imported
tests/t3-capital.ts:262 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: API Layer
MEDIUM Insufficient Error Handling CVSS 5.3 CWE-755
Trade error is logged but execution continues without proper validation of trade state
tests/t14-liquidation.ts:67 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Access Control Test CVSS 6.5 CWE-862
Tests do not verify that only authorized parties can perform liquidations
tests/t14-liquidation.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Missing Price Manipulation Test CVSS 7.5 CWE-20
Tests do not verify protection against oracle price manipulation attacks during liquidation
tests/t14-liquidation.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Missing Reentrancy Test CVSS 8.1 CWE-841
No tests for reentrancy protection during liquidation process
tests/t14-liquidation.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow Edge Case CVSS 5.9 CWE-190
calculateMarginRequired function doesn't validate for potential overflow in multiplication
tests/t14-liquidation.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Partial Liquidation Test CVSS 5.5 CWE-754
Tests do not cover partial liquidation scenarios which are critical for large positions
tests/t14-liquidation.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Missing Sandwich Attack Test CVSS 7.2 CWE-362
No tests for front-running or sandwich attack protection on liquidations
tests/t14-liquidation.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT14Tests' is never imported
tests/t14-liquidation.ts:345 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Test Coverage CVSS 5 CWE-754
Liquidation test does not verify actual liquidation conditions or manipulation scenarios
tests/t6-liquidation.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Missing Oracle Manipulation Tests CVSS 7.5 CWE-345
No tests for oracle price manipulation or stale oracle data during liquidation
tests/t6-liquidation.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Insurance Fund Verification CVSS 5.5 CWE-754
Insurance fund test only logs value without verifying correct transfers during liquidation
tests/t6-liquidation.ts:79 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Missing Reentrancy Test CVSS 7 CWE-841
No tests for reentrancy protection during liquidation
tests/t6-liquidation.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Boundary Tests CVSS 5 CWE-682
No tests for liquidation at exact margin boundary conditions
tests/t6-liquidation.ts:50 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Insufficient CVSS 3 CWE-755
Error messages are truncated and not fully validated
tests/t6-liquidation.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT6Tests' is never imported
tests/t6-liquidation.ts:138 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 5.3 CWE-755
Trade errors are silently logged and function returns without proper error propagation
tests/t15-funding.ts:86 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Timing Based Test Dependency CVSS 3.1 CWE-362
Using setTimeout for timing-dependent blockchain operations creates race conditions
tests/t15-funding.ts:96 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Weak Assertion CVSS 2 CWE-617
Assertion is tautological - always true for any bigint value
tests/t15-funding.ts:56 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Tolerance Validation CVSS 4.3 CWE-682
Hardcoded tolerance of 100,000 (0.1 USDC) for conservation check may be too permissive
tests/t15-funding.ts:209 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Null Checks CVSS 3.5 CWE-476
Optional chaining with nullish coalescing may mask account lookup failures
tests/t15-funding.ts:120 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Exposure Through Logs CVSS 2.1 CWE-532
Detailed funding state and capital information logged to console
tests/t15-funding.ts:50 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT15Tests' is never imported
tests/t15-funding.ts:450 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Error Handling Bypass CVSS 5.3 CWE-755
Trade errors are caught but test execution continues without failing, potentially masking security issues
tests/t12-trade-cpi.ts:82 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Input Validation CVSS 3.1 CWE-20
Trade size is passed as a string without validation, relying entirely on downstream validation
tests/t12-trade-cpi.ts:79 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Authentication Tests CVSS 5 CWE-862
Tests do not verify that unauthorized users cannot execute trades or access other users' positions
tests/t12-trade-cpi.ts:49 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition Test Gap CVSS 4 CWE-362
Conservation tests execute trades sequentially; no concurrent execution testing for race conditions
tests/t12-trade-cpi.ts:229 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Test Values CVSS 2 CWE-1164
Test uses hardcoded values that may not adequately test boundary conditions
tests/t12-trade-cpi.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT12Tests' is never imported
tests/t12-trade-cpi.ts:303 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Credentials CVSS 5.5 CWE-798
Wallet private key loaded from predictable default path without secure permission checks
tests/t20-chainlink-oracle.ts:51 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Randomness CVSS 3.7 CWE-338
Using Keypair.generate() which relies on system randomness without additional entropy verification
tests/t20-chainlink-oracle.ts:111 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Oracle account data parsed without validating account owner matches expected Chainlink program
tests/t20-chainlink-oracle.ts:62 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Buffer Overflow CVSS 5.3 CWE-125
Buffer reads at hardcoded offsets without validating data length
tests/t20-chainlink-oracle.ts:79 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Numeric Overflow CVSS 3.1 CWE-190
Potential precision loss when converting BigInt timestamp to Number
tests/t20-chainlink-oracle.ts:83 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.1 CWE-209
Error handling uses any type and only logs partial error information
tests/t20-chainlink-oracle.ts:171 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
No timeout or retry logic for RPC connection, could hang indefinitely
tests/t20-chainlink-oracle.ts:54 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.1 CWE-532
Logging wallet public key and balance to console
tests/t20-chainlink-oracle.ts:57 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
tests/t20-chainlink-oracle.ts:29 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
tests/t20-chainlink-oracle.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
tests/t20-chainlink-oracle.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-755
Unhandled promise rejection in main execution - only logs error without proper exit code
tests/t10-adversarial.ts:168 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Incomplete Test Validation CVSS 4 CWE-754
Test T10.3 does not explicitly assert the withdrawal was rejected - only logs the result
tests/t10-adversarial.ts:77 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Incomplete Test Validation CVSS 4 CWE-754
Test T10.5 does not assert expected behavior for zero fee - only logs result
tests/t10-adversarial.ts:122 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Incomplete Test Validation CVSS 4 CWE-754
Test T10.6 does not explicitly assert that max u64 value is handled correctly
tests/t10-adversarial.ts:140 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Test Coverage Gap CVSS 3.5 CWE-1164
Adversarial tests missing coverage for several critical attack vectors mentioned in spec comments
tests/t10-adversarial.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Test Value CVSS 2 CWE-1188
Hardcoded small maxAccounts value (8) may not adequately test boundary conditions in production scenarios
tests/t10-adversarial.ts:86 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
tests/t10-adversarial.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
tests/t10-adversarial.ts:26 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'buildIx' is imported but never used
tests/t10-adversarial.ts:19 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'encodeInitUser' is imported but never used
tests/t10-adversarial.ts:26 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'encodeDeposit' is imported but never used
tests/t10-adversarial.ts:26 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Dead Code
Export 'runT10Tests' is never imported
tests/t10-adversarial.ts:215 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2 CWE-200
Test file contains internal system architecture details and magic numbers that could aid attackers
tests/t1-market-boot.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.5 CWE-209
Generic error handling with console.error may expose stack traces in production-like environments
tests/t1-market-boot.ts:166 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Values CVSS 1.5 CWE-547
Hardcoded expected values for magic number and version could become stale or inconsistent with actual implementation
tests/t1-market-boot.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT1Tests' is never imported
tests/t1-market-boot.ts:185 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Input Validation CVSS 2.1 CWE-20
Command-line arguments are processed without strict validation, allowing arbitrary suite names
tests/runner.ts:68 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Message Information Disclosure CVSS 2 CWE-209
Error messages from test execution are captured and displayed, potentially exposing internal details
tests/runner.ts:99 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.1 CWE-362
Fixed delay between sequential operations may introduce timing vulnerabilities in concurrent test environments
tests/t17-edge-cases.ts:195 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Input Validation CVSS 2.5 CWE-20
Position sizes in test loop are not validated against actual margin requirements before testing
tests/t17-edge-cases.ts:59 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Information Disclosure CVSS 2 CWE-209
Error messages are truncated which could hide important security-relevant details during testing
tests/t17-edge-cases.ts:93 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Boundary Testing Gap CVSS 5.3 CWE-190
T17.7 claims to test large values near u128 limits but no actual large value tests are implemented
tests/t17-edge-cases.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Negative Test CVSS 3.5 CWE-754
Over-withdrawal test doesn't assert that the operation was actually rejected
tests/t17-edge-cases.ts:239 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT17Tests' is never imported
tests/t17-edge-cases.ts:359 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Input Validation CVSS 3.1 CWE-20
Fee amount is passed as string without validation before conversion to BigInt
tests/t2-user-lifecycle.ts:210 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Information Disclosure CVSS 2.5 CWE-209
Error messages directly expose internal error details which could leak information about system internals
tests/t2-user-lifecycle.ts:37 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Values CVSS 2 CWE-798
Hardcoded fee amount (1_000_000n) should be derived from contract parameters to ensure consistency
tests/t2-user-lifecycle.ts:95 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 4.3 CWE-362
Sequential account creation without explicit ordering guarantees could lead to flaky tests in concurrent environments
tests/t2-user-lifecycle.ts:210 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Cleanup On Failure CVSS 2 CWE-404
Cleanup is only called at the end; if tests fail early, resources may not be reclaimed
tests/t2-user-lifecycle.ts:267 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'printInvariantReport' is imported but never used
tests/t2-user-lifecycle.ts:12 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Dead Code
Export 'runT2Tests' is never imported
tests/t2-user-lifecycle.ts:366 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 2 CWE-755
Unhandled promise rejection with only console.error may hide critical test failures
tests/t8-crank.ts:166 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Test Values CVSS 2.5 CWE-1188
Hardcoded test account values and loop counts may not adequately stress test edge cases
tests/t8-crank.ts:47 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Invariant Assertion CVSS 4.5 CWE-754
Invariant check result is logged but not asserted, allowing tests to pass even when invariants fail
tests/t8-crank.ts:103 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Resource Exhaustion Testing CVSS 3 CWE-400
Stress test creates 100 users but doesn't verify behavior under resource constraints
tests/t8-crank.ts:112 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT8Tests' is never imported
tests/t8-crank.ts:171 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.1 CWE-390
Generic error handling with console.error may suppress important security-related errors
tests/t9-determinism.ts:218 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Validation CVSS 2 CWE-754
Optional chaining on user lookup without explicit null handling could mask test failures
tests/t9-determinism.ts:110 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 2.5 CWE-362
Test assumes snapshots taken in quick succession will have identical state, which may not hold under concurrent access
tests/t9-determinism.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT9Tests' is never imported
tests/t9-determinism.ts:193 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Credentials CVSS 5.3 CWE-798
Hardcoded RPC URL and program IDs that could be manipulated in production
tests/harness.ts:63 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Path Traversal CVSS 7.5 CWE-22
File path constructed using user-controllable input without sanitization
tests/harness.ts:139 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Sensitive Data Exposure CVSS 7.1 CWE-311
Private key loaded from file and stored in memory without secure handling
tests/harness.ts:140 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Detailed error messages and stack traces exposed in test output
tests/harness.ts:891 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.4 CWE-20
User-supplied options not validated before use in market creation
tests/harness.ts:369 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5.3 CWE-835
Unbounded loop in waitSlots could run indefinitely
tests/harness.ts:841 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Randomness CVSS 2 CWE-328
Using crypto module's createHash for state verification only - acceptable for this use case
tests/harness.ts:173 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 4.7 CWE-367
Time-of-check to time-of-use (TOCTOU) race condition in account index assignment
tests/harness.ts:538 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
tests/harness.ts:64 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
tests/harness.ts:65 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'RPC_URL' is never imported
tests/harness.ts:84 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'PROGRAM_ID' is never imported
tests/harness.ts:85 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'CRANK_NO_CALLER' is never imported
tests/harness.ts:88 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'PYTH_BTC_USD_FEED_ID' is never imported
tests/harness.ts:92 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'PYTH_SOL_USD_FEED_ID' is never imported
tests/harness.ts:93 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'EXISTING_BTC_USD_ORACLE' is never imported
tests/harness.ts:97 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'PYTH_BTC_USD' is never imported
tests/harness.ts:100 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'PYTH_SOL_USD' is never imported
tests/harness.ts:101 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'HERMES_ENDPOINT' is never imported
tests/harness.ts:104 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'TEST_MAX_STALENESS_SECS' is never imported
tests/harness.ts:107 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'DEFAULT_MAX_ACCOUNTS' is never imported
tests/harness.ts:110 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'DEFAULT_DECIMALS' is never imported
tests/harness.ts:111 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'DEFAULT_FEE_PAYMENT' is never imported
tests/harness.ts:112 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'MATCHER_PROGRAM_ID' is never imported
tests/harness.ts:115 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'MATCHER_CTX_SIZE' is never imported
tests/harness.ts:116 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'TestContext' is never imported
tests/harness.ts:122 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'UserContext' is never imported
tests/harness.ts:140 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'SlabSnapshot' is never imported
tests/harness.ts:150 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'TestResult' is never imported
tests/harness.ts:161 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'TestHarness' is never imported
tests/harness.ts:179 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT11Tests' is never imported
tests/t11-inverted-markets.ts:279 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Hardcoded financial amounts used without validation or bounds checking
tests/t13-withdrawal-after-trade.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Information Disclosure CVSS 3.1 CWE-209
Full error messages are logged which may expose sensitive system information
tests/t13-withdrawal-after-trade.ts:114 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Null Pointer Dereference CVSS 5 CWE-476
Non-null assertion operator used without prior null check on account lookup result
tests/t13-withdrawal-after-trade.ts:108 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-362
State verification after trade operations without transaction finality confirmation
tests/t13-withdrawal-after-trade.ts:132 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Test Isolation CVSS 2.5 CWE-668
Test creates fresh context but reuses variable names from outer scope, potential for state leakage
tests/t13-withdrawal-after-trade.ts:193 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Weak Assertion Logic CVSS 3.5 CWE-754
Success condition allows stale oracle errors to pass, potentially masking real failures
tests/t13-withdrawal-after-trade.ts:371 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow Potential CVSS 5.3 CWE-190
BigInt arithmetic without overflow checks when calculating over-withdrawal amount
tests/t13-withdrawal-after-trade.ts:219 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'InvariantChecker' is imported but never used
tests/t13-withdrawal-after-trade.ts:16 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Dead Code
Export 'runT13Tests' is never imported
tests/t13-withdrawal-after-trade.ts:430 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure Connection CVSS 5.3 CWE-319
Hardcoded devnet RPC endpoint without TLS verification or rate limiting configuration
tests/t19-pyth-live-prices.ts:45 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Buffer Parsing Vulnerability CVSS 5.5 CWE-129
Buffer parsing with hardcoded offsets without proper validation could lead to incorrect data interpretation
tests/t19-pyth-live-prices.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Insufficient Price Validation CVSS 7.1 CWE-20
Price validation uses overly broad range that may not detect manipulated prices
tests/t19-pyth-live-prices.ts:64 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Oracle Staleness Tolerance CVSS 7.5 CWE-672
60-second staleness tolerance for price data is too permissive for high-frequency trading scenarios
tests/t19-pyth-live-prices.ts:65 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Division By Zero CVSS 5.3 CWE-369
Potential division by zero when calculating price difference percentage if onChainPriceUsd is zero
tests/t19-pyth-live-prices.ts:100 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Floating Point Precision CVSS 3.7 CWE-681
Using JavaScript Number for price calculations may lose precision for large values
tests/t19-pyth-live-prices.ts:59 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Detailed error messages and system state information printed to console
tests/t19-pyth-live-prices.ts:237 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Error Handling CVSS 5 CWE-754
Network requests to Hermes lack timeout configuration and retry logic
tests/t19-pyth-live-prices.ts:51 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'PublicKey' is imported but never used
tests/t19-pyth-live-prices.ts:15 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Dead Code
Export 'runT19Tests' is never imported
tests/t19-pyth-live-prices.ts:262 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.1 CWE-532
Sensitive financial system state information logged to console
tests/t16-risk-reduction.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-755
Trade error silently logged but test continues execution
tests/t16-risk-reduction.ts:99 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-755
Early return on trade error without proper test failure indication
tests/t16-risk-reduction.ts:161 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.1 CWE-362
Fixed timeout used for async operation synchronization
tests/t16-risk-reduction.ts:124 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Weak Tolerance Check CVSS 4 CWE-697
Conservation check uses hardcoded tolerance that may not scale with transaction size
tests/t16-risk-reduction.ts:229 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Incomplete Test Coverage CVSS 5 CWE-754
Risk reduction tests do not verify behavior when threshold is actually exceeded
tests/t16-risk-reduction.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT16Tests' is never imported
tests/t16-risk-reduction.ts:376 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
String interpolation of BigInt values directly into trade function without validation
tests/t18-inverted-market-e2e.ts:161 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Information Disclosure CVSS 3.1 CWE-209
Error messages are truncated and logged but may still expose sensitive implementation details
tests/t18-inverted-market-e2e.ts:118 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 4.7 CWE-362
Fixed delay used instead of proper slot/block confirmation for funding rate updates
tests/t18-inverted-market-e2e.ts:200 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Assertion CVSS 2.5 CWE-754
Weak assertion using >= instead of > for funding slot advancement verification
tests/t18-inverted-market-e2e.ts:214 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Values CVSS 2 CWE-1188
Hardcoded deposit amounts and positions sizes may not adequately test edge cases
tests/t18-inverted-market-e2e.ts:72 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Negative Test CVSS 4.3 CWE-1164
Test suite lacks negative test cases for inverted market edge cases
tests/t18-inverted-market-e2e.ts:44 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT18Tests' is never imported
tests/t18-inverted-market-e2e.ts:323 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Credentials CVSS 5.3 CWE-798
Hardcoded Chainlink oracle address and program IDs could be problematic if these need to change or are compromised
tests/t21-live-trading.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.5 CWE-22
Wallet path construction using HOME environment variable could be manipulated
tests/t21-live-trading.ts:645 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Read CVSS 6.5 CWE-312
Reading private key from file without encryption or secure storage
tests/t21-live-trading.ts:646 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.7 CWE-754
Missing error handling for file read operations and JSON parsing
tests/t21-live-trading.ts:649 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.3 CWE-190
BigInt arithmetic in PnL calculation could overflow or produce unexpected results with extreme values
tests/t21-live-trading.ts:494 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-367
Time-of-check to time-of-use (TOCTOU) vulnerability between getting account snapshot and executing trade
tests/t21-live-trading.ts:520 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.1 CWE-400
Unbounded sleep and loop could consume resources indefinitely if endTime is set incorrectly
tests/t21-live-trading.ts:163 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.7 CWE-209
Error logs may expose sensitive transaction details or internal state
tests/t21-live-trading.ts:548 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Input Validation CVSS 3.1 CWE-20
Duration argument parsed without validation could cause unexpected behavior
tests/t21-live-trading.ts:791 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
tests/t21-live-trading.ts:55 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
tests/t21-live-trading.ts:65 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.1 CWE-755
Unhandled promise rejection with only console.error logging
tests/t7-socialization.ts:107 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2 CWE-532
Test file logs internal system state which could expose sensitive information in production logs
tests/t7-socialization.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Resource Exhaustion CVSS 2.5 CWE-770
Unbounded loop creating users without resource limits could cause issues
tests/t7-socialization.ts:71 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT7Tests' is never imported
tests/t7-socialization.ts:114 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 2 CWE-755
Unhandled promise rejection only logs to console without proper error propagation
tests/t5-oracle.ts:159 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Test Values CVSS 1.5 CWE-1164
Hardcoded test values for user funds may not adequately test boundary conditions
tests/t5-oracle.ts:29 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Oracle Validation Tests CVSS 4.5 CWE-1164
Test file claims to test stale oracle handling (T5.3) but implementation tests CU budgets instead
tests/t5-oracle.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Price Manipulation Tests CVSS 5 CWE-1164
Oracle tests do not verify protection against price manipulation or flash loan attacks
tests/t5-oracle.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'runT5Tests' is never imported
tests/t5-oracle.ts:156 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Sensitive File Access CVSS 7.5 CWE-522
Hardcoded path to private key file with predictable location
scripts/complete-setup.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Credentials CVSS 5.3 CWE-798
Hardcoded program IDs and account addresses that should be configurable
scripts/complete-setup.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure Randomness CVSS 5.9 CWE-330
Using Keypair.generate() which relies on system randomness without additional entropy
scripts/complete-setup.ts:57 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 4.3 CWE-20
Timestamp generated from Date.now() without validation or bounds checking
scripts/complete-setup.ts:140 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Write CVSS 4.7 CWE-312
Writing sensitive market configuration to filesystem without encryption or access controls
scripts/complete-setup.ts:183 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.7 CWE-755
Basic error handling with only console.error, no transaction rollback or cleanup
scripts/complete-setup.ts:186 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Transaction Confirmation CVSS 3.1 CWE-362
Using 'confirmed' commitment level which may not guarantee finality
scripts/complete-setup.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/complete-setup.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/complete-setup.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'parseUsedIndices' is imported but never used
scripts/complete-setup.ts:9 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
HIGH Hardcoded Secrets CVSS 7.5 CWE-798
Private key loaded from predictable file path without validation
scripts/audit-deep-redteam.ts:50 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
External JSON file read without path validation
scripts/audit-deep-redteam.ts:46 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure Error Handling CVSS 4.3 CWE-209
Generic error handling exposes error messages that may contain sensitive information
scripts/audit-deep-redteam.ts:74 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5.3 CWE-400
Unbounded loop executing 20 trades without rate limiting
scripts/audit-deep-redteam.ts:420 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Randomness CVSS 3.1 CWE-330
Using setTimeout-based delay which is predictable and not cryptographically secure
scripts/audit-deep-redteam.ts:66 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.7 CWE-532
Writing detailed security test results to status.md file without access controls
scripts/audit-deep-redteam.ts:730 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Type Confusion CVSS 3.1 CWE-843
Using 'any' type for parsed account data without runtime validation
scripts/audit-deep-redteam.ts:84 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Input Validation CVSS 3.1 CWE-20
Trade function accepts arbitrary bigint size without bounds checking
scripts/audit-deep-redteam.ts:93 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/audit-deep-redteam.ts:43 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/audit-deep-redteam.ts:44 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/audit-deep-redteam.ts:45 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/audit-deep-redteam.ts:46 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'encodeInitUser' is imported but never used
scripts/audit-deep-redteam.ts:44 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_INIT_USER' is imported but never used
scripts/audit-deep-redteam.ts:45 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
HIGH Hardcoded Secrets Exposure CVSS 7.5 CWE-798
Private key loaded from predictable file path without encryption, exposing sensitive cryptographic material
scripts/audit-adversarial.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File path constructed using environment variable without sanitization could allow path traversal if HOME is manipulated
scripts/audit-adversarial.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Operations CVSS 5.9 CWE-20
Reading market configuration from untrusted JSON file without schema validation
scripts/audit-adversarial.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 4.3 CWE-400
Unbounded delay function could be abused if ms parameter is controlled externally
scripts/audit-adversarial.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Information Disclosure CVSS 3.1 CWE-209
Error messages are passed through which may leak internal implementation details
scripts/audit-adversarial.ts:107 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.3 CWE-362
createTrader() finds max index by iterating after transaction, vulnerable to race conditions in concurrent scenarios
scripts/audit-adversarial.ts:79 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure File Write CVSS 3.7 CWE-94
Writing to status.md with user-controllable content without sanitization could allow injection
scripts/audit-adversarial.ts:352 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Logging CVSS 2.1 CWE-778
Transaction failures in runCrank silently return false without logging the error details
scripts/audit-adversarial.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/audit-adversarial.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/audit-adversarial.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/audit-adversarial.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/audit-adversarial.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Sensitive Path CVSS 5.5 CWE-798
Hardcoded path to private key file using HOME environment variable
scripts/close-broken-lps.ts:25 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.3 CWE-20
JSON file content parsed without validation of expected structure
scripts/close-broken-lps.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.7 CWE-755
Network operations lack comprehensive error handling for connection failures
scripts/close-broken-lps.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-362
Account state check and withdrawal/close operations are not atomic
scripts/close-broken-lps.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error messages are logged directly which may expose sensitive details
scripts/close-broken-lps.ts:81 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing File Existence Check CVSS 3.3 CWE-252
File read operations don't check if files exist before reading
scripts/close-broken-lps.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/close-broken-lps.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/close-broken-lps.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/close-broken-lps.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/close-broken-lps.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/close-broken-lps.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Sensitive Data Exposure CVSS 9.1 CWE-522
Private key loaded from filesystem without encryption, exposing sensitive cryptographic material
scripts/bug-fee-debt-trap.ts:45 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Path Traversal CVSS 7.5 CWE-22
Path construction using process.env.HOME without validation could lead to path traversal if HOME is manipulated
scripts/bug-fee-debt-trap.ts:45 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 5.3 CWE-755
Silent exception swallowing in setOracleAuthority call hides potential security-relevant failures
scripts/bug-fee-debt-trap.ts:137 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-755
Airdrop failures are silently caught, which could leave the script in an inconsistent state
scripts/bug-fee-debt-trap.ts:122 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Configuration CVSS 4 CWE-798
Hardcoded RPC endpoint URL makes it difficult to switch networks and may expose to endpoint manipulation
scripts/bug-fee-debt-trap.ts:43 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.5 CWE-20
Market info loaded from JSON file without schema validation could cause runtime errors or unexpected behavior
scripts/bug-fee-debt-trap.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.7 CWE-367
Time-of-check to time-of-use (TOCTOU) vulnerability when finding new account index after initUser
scripts/bug-fee-debt-trap.ts:82 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.1 CWE-400
Fixed delay of 2000ms in loop could cause script to run for extended periods, potential resource exhaustion
scripts/bug-fee-debt-trap.ts:156 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/bug-fee-debt-trap.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/bug-fee-debt-trap.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/bug-fee-debt-trap.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Secrets Path CVSS 5.5 CWE-798
Private key loaded from predictable file path without validation
scripts/set-maintenance-fee.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 4.3 CWE-20
JSON file parsed without schema validation or error handling
scripts/set-maintenance-fee.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Path Traversal CVSS 3.3 CWE-22
Relative file path used without validation could be exploited via symlinks
scripts/set-maintenance-fee.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Authorization Check CVSS 4 CWE-862
No confirmation prompt before executing privileged admin operation
scripts/set-maintenance-fee.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 2 CWE-755
Errors only logged to console without proper error codes or recovery
scripts/set-maintenance-fee.ts:48 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Precision Loss CVSS 2.5 CWE-681
Mixing BigInt and Number operations could cause precision issues
scripts/set-maintenance-fee.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/set-maintenance-fee.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/set-maintenance-fee.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/set-maintenance-fee.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File path 'devnet-market.json' is read without validation, potentially allowing path traversal if filename comes from external source
scripts/check-liquidation.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Integer Overflow CVSS 7.5 CWE-190
Manual signed integer conversion using hardcoded magic number is error-prone and may not handle all edge cases correctly
scripts/check-liquidation.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Synchronous file read blocks the event loop and no error handling for missing file
scripts/check-liquidation.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Detailed error information passed directly to console.error may expose sensitive information in production
scripts/check-liquidation.ts:57 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Precision Loss CVSS 4.3 CWE-681
Converting BigInt to Number for display may lose precision for large values
scripts/check-liquidation.ts:47 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/check-liquidation.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets Exposure CVSS 7.5 CWE-798
Private key loaded from well-known file path without encryption, exposing wallet credentials
scripts/test-lp-profit-realize.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File path constructed using process.env.HOME without sanitization could be manipulated
scripts/test-lp-profit-realize.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Read CVSS 5.9 CWE-20
Reading JSON configuration file without validation of content or file integrity
scripts/test-lp-profit-realize.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-390
Empty catch block silently swallows errors during crank execution, hiding potential issues
scripts/test-lp-profit-realize.ts:69 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.4 CWE-190
BigInt arithmetic operations without overflow checks in position/margin calculations
scripts/test-lp-profit-realize.ts:186 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 4.8 CWE-20
closePosition function accepts size parameter without validation for zero, negative beyond position, or extreme values
scripts/test-lp-profit-realize.ts:84 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.5 CWE-400
Fixed loop count for cranks without consideration of actual state or timeout handling
scripts/test-lp-profit-realize.ts:66 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error messages truncated but still potentially expose sensitive transaction details
scripts/test-lp-profit-realize.ts:103 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-lp-profit-realize.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/test-lp-profit-realize.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/test-lp-profit-realize.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-lp-profit-realize.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-lp-profit-realize.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secret Path CVSS 7.5 CWE-798
Hardcoded path to private key file with predictable location
scripts/close-old-slab.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Unsafe File Read CVSS 5.3 CWE-252
Synchronous file read without error handling for missing or malformed key file
scripts/close-old-slab.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Insufficient Access Control CVSS 7.8 CWE-862
Script uses 'unsafe_close' feature that bypasses vault/insurance validation without additional authorization checks
scripts/close-old-slab.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.9 CWE-20
Hardcoded program ID and slab address without validation that they match expected values
scripts/close-old-slab.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Transaction Simulation CVSS 4.3 CWE-754
Transaction sent without prior simulation to verify it will succeed
scripts/close-old-slab.ts:34 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Logging CVSS 3.7 CWE-778
Sensitive administrative operation lacks audit logging
scripts/close-old-slab.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/close-old-slab.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/close-old-slab.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/close-old-slab.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Hardcoded relative file path read without validation could be exploited if working directory is manipulated
scripts/find-user.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Input Validation CVSS 3.1 CWE-20
Command line arguments are passed directly to PublicKey constructor without pre-validation
scripts/find-user.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.5 CWE-209
Unhandled promise rejection may expose stack traces with sensitive information
scripts/find-user.ts:37 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
No timeout or rate limiting on external RPC connection could lead to hanging or resource exhaustion
scripts/find-user.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/find-user.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Credentials Path CVSS 5.5 CWE-798
Private key loaded from hardcoded filesystem path using environment variable
scripts/audit-funding-warmup.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Unvalidated Json Parse CVSS 5.3 CWE-20
JSON file parsed without validation or schema checking
scripts/audit-funding-warmup.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Synchronous File Read CVSS 2 CWE-400
Synchronous file reading blocks the event loop
scripts/audit-funding-warmup.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4 CWE-390
Catch block swallows errors without logging or proper handling
scripts/audit-funding-warmup.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Path Traversal Risk CVSS 3.1 CWE-22
File path constructed without sanitization for status.md
scripts/audit-funding-warmup.ts:253 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5 CWE-20
User-controlled indices passed directly to contract without bounds validation
scripts/audit-funding-warmup.ts:59 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.7 CWE-362
Rapid sequential trades without proper sequencing could result in race conditions
scripts/audit-funding-warmup.ts:182 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Exposure CVSS 2.5 CWE-200
Test results and financial data written to unprotected file
scripts/audit-funding-warmup.ts:256 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/audit-funding-warmup.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/audit-funding-warmup.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/audit-funding-warmup.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/audit-funding-warmup.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'encodeInitUser' is imported but never used
scripts/audit-funding-warmup.ts:12 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'encodeDepositCollateral' is imported but never used
scripts/audit-funding-warmup.ts:12 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_INIT_USER' is imported but never used
scripts/audit-funding-warmup.ts:13 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_DEPOSIT_COLLATERAL' is imported but never used
scripts/audit-funding-warmup.ts:13 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Hardcoded file path read without validation could be manipulated if the file content is attacker-controlled
scripts/dump-state.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5 CWE-400
Unbounded iteration over indices array without size limits could cause memory exhaustion
scripts/dump-state.ts:47 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.5 CWE-190
BigInt arithmetic without overflow checks in price calculations
scripts/dump-state.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Division By Zero CVSS 7.5 CWE-369
Division by potentially zero value in oracle price inversion
scripts/dump-state.ts:41 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.3 CWE-200
Sensitive market state written to predictable file location
scripts/dump-state.ts:231 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Unsafe Deserialization CVSS 6.5 CWE-502
Reading binary data from untrusted oracle account without validation
scripts/dump-state.ts:33 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.3 CWE-20
PublicKey constructed from unvalidated JSON input
scripts/dump-state.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.7 CWE-362
Non-atomic reads of related blockchain state could lead to inconsistent data
scripts/dump-state.ts:37 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/dump-state.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets Exposure CVSS 7.5 CWE-798
Private key is loaded from a predictable filesystem path without validation
scripts/test-happy-path.ts:55 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Unvalidated HOME environment variable used in file path construction
scripts/test-happy-path.ts:55 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5 CWE-400
Synchronous file reading blocks the event loop and can cause DoS
scripts/test-happy-path.ts:51 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure Error Handling CVSS 4.3 CWE-390
Empty catch block silently swallows errors, potentially hiding security issues
scripts/test-happy-path.ts:102 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-367
TOCTOU race condition when checking for new account index after creation
scripts/test-happy-path.ts:118 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Deposit amount is not validated before wrapping SOL
scripts/test-happy-path.ts:131 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.3 CWE-190
BigInt arithmetic without overflow protection in price calculations
scripts/test-happy-path.ts:229 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.7 CWE-209
Error messages are truncated but still exposed to console output
scripts/test-happy-path.ts:811 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Randomness CVSS 3.1 CWE-330
Using Date.now() for timestamp which can be predicted or manipulated in test scenarios
scripts/test-happy-path.ts:107 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Rate Limiting CVSS 3.7 CWE-770
No rate limiting on RPC calls which could lead to account suspension or denial of service
scripts/test-happy-path.ts:100 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-happy-path.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-happy-path.ts:43 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Hardcoded Secrets Exposure CVSS 9.1 CWE-798
Private key loaded from predictable filesystem path without encryption or secure storage
scripts/bug-oracle-no-bounds.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Path Traversal CVSS 7.5 CWE-22
File path constructed using process.env.HOME without validation, potentially exploitable if HOME is manipulated
scripts/bug-oracle-no-bounds.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Sensitive Data Exposure CVSS 7.2 CWE-502
Market configuration including oracle and program addresses loaded from unvalidated JSON file
scripts/bug-oracle-no-bounds.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 5.3 CWE-390
Broad exception catching suppresses specific error information, hiding potential security issues
scripts/bug-oracle-no-bounds.ts:57 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.9 CWE-20
Price and timestamp parameters passed to pushPrice without validation before constructing transaction
scripts/bug-oracle-no-bounds.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.7 CWE-209
Detailed error messages and vulnerability information printed to console could aid attackers
scripts/bug-oracle-no-bounds.ts:239 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.1 CWE-362
Test 6 rapid-fire updates don't account for network latency variations which could affect test reliability
scripts/bug-oracle-no-bounds.ts:158 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/bug-oracle-no-bounds.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/bug-oracle-no-bounds.ts:26 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'parseParams' is imported but never used
scripts/bug-oracle-no-bounds.ts:18 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'parseUsedIndices' is imported but never used
scripts/bug-oracle-no-bounds.ts:18 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'parseAccount' is imported but never used
scripts/bug-oracle-no-bounds.ts:18 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'AccountKind' is imported but never used
scripts/bug-oracle-no-bounds.ts:18 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File path 'devnet-market.json' is read without validation, potentially allowing path traversal if the filename is derived from user input in other contexts
scripts/check-funding.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure Deserialization CVSS 5.9 CWE-502
JSON.parse() on file content without schema validation could process malicious data
scripts/check-funding.ts:5 Click to copy
Fix Complexity: HIGH
Est. Time: 4-8 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.7 CWE-755
Network requests to Solana RPC lack error handling and timeout configuration
scripts/check-funding.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.4 CWE-532
Detailed position and funding information logged to console could expose sensitive trading data
scripts/check-funding.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Endpoint CVSS 2.1 CWE-798
Hardcoded RPC endpoint URL limits flexibility and could cause issues if endpoint changes
scripts/check-funding.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/check-funding.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Credentials Exposure CVSS 7.5 CWE-798
Hardcoded path to private key file loaded without validation, exposing wallet credentials
scripts/stress-corner-cases.ts:38 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File path constructed using relative path without sanitization, vulnerable to path traversal if file content is controlled
scripts/stress-corner-cases.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5 CWE-400
Unbounded loop in crankN function can cause resource exhaustion if n is large
scripts/stress-corner-cases.ts:183 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.5 CWE-755
Catch block silently swallows errors with only partial logging, hiding critical failures
scripts/stress-corner-cases.ts:185 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-367
Time-of-check to time-of-use (TOCTOU) race condition in initUser when checking indices
scripts/stress-corner-cases.ts:206 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 3.1 CWE-190
Timestamp calculation using Math.floor(Date.now() / 1000) could overflow in BigInt conversion for far future dates
scripts/stress-corner-cases.ts:195 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.7 CWE-532
Detailed state logging including financial amounts could expose sensitive trading information
scripts/stress-corner-cases.ts:47 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Improper Input Validation CVSS 3.5 CWE-20
No validation on amount parameter in deposit function could allow zero or negative amounts
scripts/stress-corner-cases.ts:222 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/stress-corner-cases.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/stress-corner-cases.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/stress-corner-cases.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Credentials Path CVSS 7.5 CWE-798
Hardcoded path to sensitive private key file using HOME environment variable
scripts/test-profitable-withdrawal.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Sensitive Data In Memory CVSS 5.5 CWE-316
Private key loaded directly into memory without secure handling
scripts/test-profitable-withdrawal.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File read without path validation could allow reading arbitrary files if marketInfo source is compromised
scripts/test-profitable-withdrawal.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.7 CWE-390
Empty catch block silently swallows errors, hiding potential security issues
scripts/test-profitable-withdrawal.ts:63 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.3 CWE-20
No validation of accountIdx parameter before use in blockchain transaction
scripts/test-profitable-withdrawal.ts:106 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Bigint String Conversion CVSS 3.1 CWE-681
BigInt to string conversion for transaction data may lose precision or be manipulated
scripts/test-profitable-withdrawal.ts:125 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 4.7 CWE-367
Time-of-check to time-of-use (TOCTOU) vulnerability when finding new account index
scripts/test-profitable-withdrawal.ts:78 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Unbounded loop with external API calls could cause resource exhaustion
scripts/test-profitable-withdrawal.ts:245 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Detailed error logs may expose sensitive transaction information
scripts/test-profitable-withdrawal.ts:179 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-profitable-withdrawal.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-profitable-withdrawal.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/test-profitable-withdrawal.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/test-profitable-withdrawal.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-profitable-withdrawal.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Credentials CVSS 7.5 CWE-798
Private key loaded from predictable filesystem location without validation
scripts/test-price-profit.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Use of process.env.HOME in file path construction without sanitization
scripts/test-price-profit.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Read CVSS 4.3 CWE-20
Configuration file read without existence or integrity validation
scripts/test-price-profit.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Oracle Manipulation CVSS 9.1 CWE-284
Oracle price can be arbitrarily set by admin, enabling price manipulation attacks
scripts/test-price-profit.ts:63 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4 CWE-755
Errors are caught but only partially logged, masking security-relevant details
scripts/test-price-profit.ts:148 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Timestamp Manipulation CVSS 5 CWE-367
Client-side timestamp used for oracle price updates without server validation
scripts/test-price-profit.ts:64 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.5 CWE-20
Trade size calculated without bounds checking or validation
scripts/test-price-profit.ts:161 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.5 CWE-190
BigInt arithmetic without overflow/underflow checks in price calculations
scripts/test-price-profit.ts:186 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-price-profit.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/test-price-profit.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/test-price-profit.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-price-profit.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-price-profit.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets Exposure CVSS 7.5 CWE-798
Private key loaded from predictable filesystem location without encryption
scripts/audit-oracle-edge.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Path construction using process.env.HOME without validation could be manipulated
scripts/audit-oracle-edge.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Sensitive Data Exposure CVSS 5.9 CWE-494
Market configuration including program IDs and vault addresses loaded from JSON file without integrity verification
scripts/audit-oracle-edge.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-755
Generic error catching swallows all exceptions, potentially hiding critical failures
scripts/audit-oracle-edge.ts:56 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5.3 CWE-400
Unbounded delay function could be exploited for resource exhaustion
scripts/audit-oracle-edge.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Randomness CVSS 3.1 CWE-330
Using hardcoded index values (65535) without validation in keeper crank operations
scripts/audit-oracle-edge.ts:148 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.7 CWE-532
Writing detailed test results to status.md file without access controls
scripts/audit-oracle-edge.ts:365 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 3.1 CWE-190
BigInt arithmetic operations without explicit overflow checks
scripts/audit-oracle-edge.ts:247 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/audit-oracle-edge.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/audit-oracle-edge.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/audit-oracle-edge.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/audit-oracle-edge.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'encodeInitUser' is imported but never used
scripts/audit-oracle-edge.ts:13 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_INIT_USER' is imported but never used
scripts/audit-oracle-edge.ts:14 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
HIGH Hardcoded Secrets Exposure CVSS 7.5 CWE-798
Private key loaded from predictable filesystem path without validation
scripts/bug-recovery-overhaircut.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Path construction using environment variable without sanitization
scripts/bug-recovery-overhaircut.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5.3 CWE-400
Synchronous file read operations can block the event loop
scripts/bug-recovery-overhaircut.ts:39 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Randomness CVSS 3.7 CWE-330
Using Date.now() for timestamp in financial operations
scripts/bug-recovery-overhaircut.ts:107 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-209
Error messages are truncated which may hide critical security information
scripts/bug-recovery-overhaircut.ts:77 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-367
TOCTOU race condition between checking indices and using them
scripts/bug-recovery-overhaircut.ts:117 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 3.1 CWE-190
BigInt to Number conversion may lose precision for large values
scripts/bug-recovery-overhaircut.ts:292 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.4 CWE-532
Detailed internal state and financial information logged to console
scripts/bug-recovery-overhaircut.ts:482 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.3 CWE-20
JSON file content parsed without schema validation
scripts/bug-recovery-overhaircut.ts:39 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/bug-recovery-overhaircut.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/bug-recovery-overhaircut.ts:34 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/bug-recovery-overhaircut.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets Exposure CVSS 7.5 CWE-798
Private key loaded from predictable filesystem path without validation or encryption
scripts/oracle-authority-stress.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
MEDIUM Path Traversal CVSS 5.3 CWE-22
Use of process.env.HOME in file path without sanitization could be manipulated in certain environments
scripts/oracle-authority-stress.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
MEDIUM Insufficient Error Handling CVSS 5 CWE-755
Transaction errors are caught and logged but execution continues, potentially leaving system in inconsistent state
scripts/oracle-authority-stress.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
MEDIUM Timestamp Manipulation CVSS 6.5 CWE-367
Client-side timestamp generation for oracle price could be manipulated
scripts/oracle-authority-stress.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
MEDIUM Missing Input Validation CVSS 5.5 CWE-20
Price parameter lacks validation for reasonable bounds before conversion
scripts/oracle-authority-stress.ts:51 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
MEDIUM Denial Of Service CVSS 5.5 CWE-400
Stress test scenarios with extreme price swings could drain insurance fund or cause system instability on devnet/mainnet
scripts/oracle-authority-stress.ts:109 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
LOW Information Disclosure CVSS 3.1 CWE-209
Error messages are truncated, potentially hiding security-relevant information needed for debugging
scripts/oracle-authority-stress.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
MEDIUM Missing Network Validation CVSS 6 CWE-345
Hardcoded devnet URL but no validation that market config matches network, could lead to accidental mainnet execution
scripts/oracle-authority-stress.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/oracle-authority-stress.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/oracle-authority-stress.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/oracle-authority-stress.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/oracle-authority-stress.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
HIGH Sensitive Data Exposure CVSS 7.5 CWE-522
Private key loaded from predictable filesystem path without access control verification
scripts/verify-threshold-autoadjust.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Use of process.env.HOME in file path construction without validation could be manipulated
scripts/verify-threshold-autoadjust.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Information Disclosure CVSS 3.1 CWE-390
Silent error swallowing in runCrank() hides potential security-relevant failures
scripts/verify-threshold-autoadjust.ts:56 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Read CVSS 5.5 CWE-20
Reading and parsing JSON file without validation of content structure or integrity
scripts/verify-threshold-autoadjust.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Fixed delay between cranks without exponential backoff could lead to resource exhaustion on failure
scripts/verify-threshold-autoadjust.ts:98 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Numeric Precision CVSS 2.1 CWE-681
Converting BigInt to Number for display could lose precision for very large values
scripts/verify-threshold-autoadjust.ts:72 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/verify-threshold-autoadjust.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/verify-threshold-autoadjust.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/verify-threshold-autoadjust.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/verify-threshold-autoadjust.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Credentials CVSS 5.3 CWE-798
Private key loaded from predictable filesystem path without validation
scripts/test-profit-withdrawal.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5 CWE-22
External JSON file read without path validation
scripts/test-profit-withdrawal.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Improper Error Handling CVSS 3.1 CWE-390
Silent error swallowing in runCrank function hides potential security issues
scripts/test-profit-withdrawal.ts:55 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 3.7 CWE-190
BigInt arithmetic could have edge cases with negative values
scripts/test-profit-withdrawal.ts:91 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.5 CWE-400
Unbounded iteration over parsed indices without limit
scripts/test-profit-withdrawal.ts:102 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.7 CWE-209
Detailed error messages exposed could reveal system information
scripts/test-profit-withdrawal.ts:68 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-profit-withdrawal.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/test-profit-withdrawal.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/test-profit-withdrawal.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-profit-withdrawal.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-profit-withdrawal.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'encodeTradeCpi' is imported but never used
scripts/test-profit-withdrawal.ts:15 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'encodeDepositCollateral' is imported but never used
scripts/test-profit-withdrawal.ts:15 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'encodeInitUser' is imported but never used
scripts/test-profit-withdrawal.ts:15 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_TRADE_CPI' is imported but never used
scripts/test-profit-withdrawal.ts:16 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_DEPOSIT_COLLATERAL' is imported but never used
scripts/test-profit-withdrawal.ts:16 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_INIT_USER' is imported but never used
scripts/test-profit-withdrawal.ts:16 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Hardcoded file path for reading configuration without validation
scripts/dump-market.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5 CWE-400
Synchronous file read operation can block the event loop and lacks size validation
scripts/dump-market.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Unsafe Deserialization CVSS 5.5 CWE-502
JSON.parse without schema validation allows arbitrary object structure injection
scripts/dump-market.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Detailed error information exposed through console.error
scripts/dump-market.ts:209 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 4.3 CWE-190
BigInt to Number conversion can lose precision for large values
scripts/dump-market.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Endpoint CVSS 3.7 CWE-295
Hardcoded RPC endpoint without TLS certificate validation
scripts/dump-market.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.1 CWE-362
Non-atomic file write could result in corrupted output if interrupted
scripts/dump-market.ts:180 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Division By Zero CVSS 5 CWE-369
Potential division by zero when oracle price calculation results in zero
scripts/dump-market.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Secret Path CVSS 5.3 CWE-798
Hardcoded path to private key file using HOME environment variable
scripts/bug-margin-initial-vs-maintenance.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5 CWE-22
Path constructed using environment variable without validation could be manipulated
scripts/bug-margin-initial-vs-maintenance.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Unsafe Json Parsing CVSS 4.8 CWE-20
JSON parsing of external file without schema validation
scripts/bug-margin-initial-vs-maintenance.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.1 CWE-390
Empty catch blocks swallow errors silently without logging
scripts/bug-margin-initial-vs-maintenance.ts:181 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.7 CWE-362
Time-based delay used for state synchronization instead of proper confirmation
scripts/bug-margin-initial-vs-maintenance.ts:194 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Numeric Precision CVSS 2 CWE-681
Floating point conversion in fmt() function may lose precision for large values
scripts/bug-margin-initial-vs-maintenance.ts:43 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/bug-margin-initial-vs-maintenance.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/bug-margin-initial-vs-maintenance.ts:29 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/bug-margin-initial-vs-maintenance.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secret Path CVSS 7.5 CWE-798
Private key loaded from predictable filesystem path without secure key management
scripts/crank-bot.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Reading market configuration from relative path without validation
scripts/crank-bot.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5 CWE-20
No validation of JSON structure or public key formats from config file
scripts/crank-bot.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Infinite loop without backoff strategy or circuit breaker on repeated failures
scripts/crank-bot.ts:41 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Full error messages logged which may contain sensitive information
scripts/crank-bot.ts:47 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Transaction Validation CVSS 4.3 CWE-754
skipPreflight:true bypasses simulation checks, potentially submitting invalid transactions
scripts/crank-bot.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/crank-bot.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/crank-bot.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/crank-bot.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Credentials Path CVSS 7.5 CWE-798
Secret key loaded from predictable filesystem path without validation
scripts/update-funding-config.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.3 CWE-20
JSON file parsed without schema validation, allowing malformed or malicious config injection
scripts/update-funding-config.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-755
Synchronous file read without try-catch can crash the application and potentially leak error details
scripts/update-funding-config.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Sensitive Data Exposure CVSS 3.1 CWE-532
Admin public key logged to console which may be captured in logs
scripts/update-funding-config.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Transaction Simulation CVSS 2.5 CWE-754
Transaction sent without prior simulation to verify it will succeed
scripts/update-funding-config.ts:58 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/update-funding-config.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/update-funding-config.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/update-funding-config.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Sensitive Data Exposure CVSS 7.5 CWE-522
Hardcoded path to private key file using HOME environment variable
scripts/verify-binary-devnet.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Reading market configuration from relative file path without validation
scripts/verify-binary-devnet.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5 CWE-20
No validation of parsed JSON structure before using as PublicKey inputs
scripts/verify-binary-devnet.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Information Disclosure CVSS 3.1 CWE-209
Error messages are truncated but still exposed, could leak internal details
scripts/verify-binary-devnet.ts:61 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.7 CWE-252
Environment variable SOLANA_RPC_URL used without validation, falls back to public endpoint
scripts/verify-binary-devnet.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/verify-binary-devnet.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/verify-binary-devnet.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/verify-binary-devnet.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/verify-binary-devnet.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets Exposure CVSS 7.5 CWE-798
Private key loaded from predictable filesystem path without encryption
scripts/test-threshold-increase.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Path construction using environment variable without sanitization
scripts/test-threshold-increase.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4 CWE-390
Silent error swallowing in critical blockchain operations loses important debugging information
scripts/test-threshold-increase.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error messages are truncated but still exposed which may leak implementation details
scripts/test-threshold-increase.ts:77 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.5 CWE-20
JSON file contents from external source parsed without schema validation
scripts/test-threshold-increase.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Synchronous file read at module load time blocks event loop
scripts/test-threshold-increase.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-367
Time-of-check to time-of-use (TOCTOU) race condition between state check and trade execution
scripts/test-threshold-increase.ts:117 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-threshold-increase.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/test-threshold-increase.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/test-threshold-increase.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-threshold-increase.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Sensitive Data Exposure CVSS 7.5 CWE-522
Private key loaded from predictable filesystem path without access control validation
scripts/stress-haircut-system.ts:32 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Use of process.env.HOME in file path construction without validation
scripts/stress-haircut-system.ts:32 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Read CVSS 5.9 CWE-494
Reading configuration from local JSON file without integrity verification
scripts/stress-haircut-system.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5.3 CWE-400
Unbounded loop in initUser scanning all indices without limit
scripts/stress-haircut-system.ts:152 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-390
Silent catch blocks suppress errors without logging, potentially hiding security issues
scripts/stress-haircut-system.ts:131 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 4.7 CWE-367
TOCTOU race condition between checking beforeIndices and reading afterState
scripts/stress-haircut-system.ts:149 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Configuration CVSS 3.1 CWE-798
Hardcoded RPC endpoint limits flexibility and may expose to endpoint compromise
scripts/stress-haircut-system.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 3.7 CWE-190
Large constant values used without overflow protection in calculations
scripts/stress-haircut-system.ts:37 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.4 CWE-532
Detailed internal state information logged to console
scripts/stress-haircut-system.ts:38 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/stress-haircut-system.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/stress-haircut-system.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/stress-haircut-system.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets CVSS 7.5 CWE-798
Private key loaded from well-known filesystem path without additional protection
scripts/test-hyperp-market.ts:63 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Path construction using environment variable without validation
scripts/test-hyperp-market.ts:63 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Sensitive Data Exposure CVSS 5.5 CWE-312
Sensitive market configuration and private keys written to local file without encryption
scripts/test-hyperp-market.ts:254 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure Configuration CVSS 4.3 CWE-754
Transaction sent with skipPreflight enabled, bypassing simulation checks
scripts/test-hyperp-market.ts:322 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 3.7 CWE-390
Empty catch block silently swallows errors during withdrawal
scripts/test-hyperp-market.ts:346 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error message truncation may hide important security-relevant information
scripts/test-hyperp-market.ts:361 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.7 CWE-367
TOCTOU (Time-of-check-time-of-use) race condition when checking file existence
scripts/test-hyperp-market.ts:83 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-hyperp-market.ts:57 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-hyperp-market.ts:58 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-hyperp-market.ts:59 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'parseHeader' is imported but never used
scripts/test-hyperp-market.ts:58 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
CRITICAL Hardcoded Secrets Exposure CVSS 9.1 CWE-798
Private key loaded from predictable filesystem path without any validation or encryption
scripts/pentest-oracle.ts:29 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Path Traversal CVSS 7.5 CWE-22
Environment variable HOME used in file path without sanitization
scripts/pentest-oracle.ts:29 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5.3 CWE-400
Synchronous file reads on startup can block event loop and cause DoS
scripts/pentest-oracle.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 6.5 CWE-190
Math.round on floating point multiplication may lose precision for large values
scripts/pentest-oracle.ts:66 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.5 CWE-20
pushPrice function accepts any number including negative values without validation
scripts/pentest-oracle.ts:65 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Unsafe Type Conversion CVSS 5 CWE-681
BigInt to Number conversion via Number() may lose precision for large amounts
scripts/pentest-oracle.ts:119 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error messages are truncated but may still leak sensitive implementation details
scripts/pentest-oracle.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.7 CWE-362
User index retrieval after transaction may be affected by concurrent transactions
scripts/pentest-oracle.ts:105 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.1 CWE-755
Connection to Solana devnet has no retry logic or error handling
scripts/pentest-oracle.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/pentest-oracle.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/pentest-oracle.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/pentest-oracle.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/pentest-oracle.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Sensitive Data Exposure CVSS 7.5 CWE-522
Private key loaded from predictable filesystem path without encryption
scripts/test-fee-rounding.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File path constructed using environment variable without validation
scripts/test-fee-rounding.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Read CVSS 4.3 CWE-209
JSON file read without existence check or error handling could expose system information
scripts/test-fee-rounding.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.9 CWE-190
BigInt arithmetic could produce unexpected results with extreme values
scripts/test-fee-rounding.ts:128 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Hardcoded RPC endpoint without rate limiting or retry logic
scripts/test-fee-rounding.ts:33 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error details potentially exposed in catch block output
scripts/test-fee-rounding.ts:239 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.7 CWE-367
Time-of-check to time-of-use race condition in account index detection
scripts/test-fee-rounding.ts:78 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-fee-rounding.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-fee-rounding.ts:25 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-fee-rounding.ts:26 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-fee-rounding.ts:51 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Sensitive Data Exposure CVSS 7.5 CWE-522
Private key loaded from filesystem without secure handling, path potentially exposed via environment variable
scripts/setup-devnet-market.ts:97 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
WALLET_PATH environment variable used without sanitization, allowing potential path traversal
scripts/setup-devnet-market.ts:96 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 4.3 CWE-754
Balance check uses arbitrary threshold without configurable minimum for critical operations
scripts/setup-devnet-market.ts:107 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Configuration CVSS 3.7 CWE-798
Hardcoded program IDs and oracle addresses without verification mechanism
scripts/setup-devnet-market.ts:56 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Error Handling CVSS 4.8 CWE-129
Chainlink oracle data parsing without comprehensive bounds checking
scripts/setup-devnet-market.ts:83 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-362
Reading slab state for index calculation without atomic operation could race with other writers
scripts/setup-devnet-market.ts:253 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure File Operation CVSS 3.1 CWE-732
Market info written to predictable file location without access controls
scripts/setup-devnet-market.ts:335 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-754
Oracle staleness check only warns but continues execution with stale data
scripts/setup-devnet-market.ts:116 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/setup-devnet-market.ts:53 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/setup-devnet-market.ts:54 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/setup-devnet-market.ts:55 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets Path CVSS 7.5 CWE-798
Private key loaded from predictable filesystem path using HOME environment variable
scripts/verify-fixes.ts:45 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Reading JSON configuration file without path validation
scripts/verify-fixes.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure Network Endpoint CVSS 5.9 CWE-295
Using devnet RPC endpoint without TLS certificate validation configuration
scripts/verify-fixes.ts:43 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-390
Empty catch block silently swallows errors from oracle authority setup
scripts/verify-fixes.ts:241 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Delay function without timeout limits could cause indefinite waiting
scripts/verify-fixes.ts:48 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error messages are truncated but still potentially leak sensitive information
scripts/verify-fixes.ts:267 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 3.7 CWE-362
Potential race condition in initUser when detecting new account index
scripts/verify-fixes.ts:74 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/verify-fixes.ts:33 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/verify-fixes.ts:34 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets Exposure CVSS 7.5 CWE-798
Private key loaded from predictable file path without validation or encryption
scripts/audit-timing-attacks.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Unvalidated path construction using process.env.HOME could be manipulated
scripts/audit-timing-attacks.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Operations CVSS 4.3 CWE-20
Synchronous file read without error handling for JSON parsing of external file
scripts/audit-timing-attacks.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5 CWE-400
Unbounded delay function could be exploited if ms value is externally controlled
scripts/audit-timing-attacks.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-532
Sensitive test results written to status.md file without access controls
scripts/audit-timing-attacks.ts:332 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.5 CWE-755
Generic error catching loses stack trace and error details
scripts/audit-timing-attacks.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 2 CWE-362
File read/write race condition when updating status.md
scripts/audit-timing-attacks.ts:324 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Logging CVSS 2 CWE-778
Security audit script lacks detailed logging for forensic analysis
scripts/audit-timing-attacks.ts:339 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/audit-timing-attacks.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/audit-timing-attacks.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/audit-timing-attacks.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/audit-timing-attacks.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'encodeInitUser' is imported but never used
scripts/audit-timing-attacks.ts:14 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'encodeDepositCollateral' is imported but never used
scripts/audit-timing-attacks.ts:14 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_INIT_USER' is imported but never used
scripts/audit-timing-attacks.ts:15 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_DEPOSIT_COLLATERAL' is imported but never used
scripts/audit-timing-attacks.ts:15 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Hardcoded file path read without validation could be manipulated if the working directory is changed or symlinks are present
scripts/check-indices.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5 CWE-20
JSON file contents are parsed and used without schema validation
scripts/check-indices.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.7 CWE-755
Async function main() lacks proper error handling for network and parsing operations
scripts/check-indices.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-200
Default RPC URL is exposed in code, and custom RPC URLs from environment may be logged in error messages
scripts/check-indices.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/check-indices.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Credentials CVSS 2.1 CWE-798
Hardcoded RPC endpoint URL exposes infrastructure details
scripts/investigate-lp-desync.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 4.3 CWE-22
File path read from JSON config without validation could be manipulated if config is compromised
scripts/investigate-lp-desync.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Improper Error Handling CVSS 2 CWE-209
Generic error handler may leak sensitive information in stack traces
scripts/investigate-lp-desync.ts:145 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 4 CWE-190
Mixing Number and BigInt arithmetic could cause precision loss with large values
scripts/investigate-lp-desync.ts:99 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Sensitive Data CVSS 2.5 CWE-547
Hardcoded vault balance used in security calculations
scripts/investigate-lp-desync.ts:114 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unsafe Type Coercion CVSS 2 CWE-704
Unsafe type coercion with || 0 pattern on potentially undefined BigInt values
scripts/investigate-lp-desync.ts:76 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/investigate-lp-desync.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Sensitive Data Exposure CVSS 9.1 CWE-312
Private key loaded from predictable filesystem path without encryption
scripts/add-vamm-lp.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Path Traversal CVSS 7.5 CWE-22
Path construction using process.env.HOME without validation allows potential path manipulation
scripts/add-vamm-lp.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Insecure File Operations CVSS 7.2 CWE-367
Reading and writing to devnet-market.json without validation or atomic operations
scripts/add-vamm-lp.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
LP index discovery uses simple iteration without bounds checking or validation against actual slab capacity
scripts/add-vamm-lp.ts:79 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.9 CWE-190
BigInt right shift for u128 encoding could produce incorrect results for edge case values
scripts/add-vamm-lp.ts:55 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Error Handling CVSS 4.3 CWE-755
Transaction failures do not provide detailed error context or retry logic
scripts/add-vamm-lp.ts:128 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Configuration CVSS 3.7 CWE-1188
Security-critical vAMM parameters are hardcoded without validation or documentation of safe ranges
scripts/add-vamm-lp.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-312
Sensitive operational data (LP PDA, matcher context, configuration) written to plain text file
scripts/add-vamm-lp.ts:145 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/add-vamm-lp.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/add-vamm-lp.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/add-vamm-lp.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/add-vamm-lp.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/add-vamm-lp.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Credentials CVSS 5.5 CWE-798
Hardcoded path to private key file using environment variable without validation
scripts/test-edge-cases.ts:51 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File read from JSON configuration without path validation
scripts/test-edge-cases.ts:48 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Randomness CVSS 3.1 CWE-330
Using current timestamp for oracle price updates which is predictable
scripts/test-edge-cases.ts:54 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Unbounded retry loop in crankN function could hang indefinitely on persistent failures
scripts/test-edge-cases.ts:56 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.1 CWE-390
Empty catch blocks throughout the code suppress errors silently
scripts/test-edge-cases.ts:102 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 4.3 CWE-362
initUser detects new account by comparing sets before and after, but concurrent calls could cause misidentification
scripts/test-edge-cases.ts:131 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 2.5 CWE-190
Number division for formatting large bigints may lose precision
scripts/test-edge-cases.ts:53 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Sensitive Data Exposure CVSS 3.1 CWE-209
Full error messages are logged which may contain sensitive information
scripts/test-edge-cases.ts:593 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-edge-cases.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-edge-cases.ts:41 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets CVSS 7.5 CWE-798
Private key loaded from predictable filesystem path without validation
scripts/random-traders.ts:33 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Unvalidated path construction using HOME environment variable
scripts/random-traders.ts:33 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 4.3 CWE-400
Synchronous file read operations block event loop
scripts/random-traders.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Input Validation CVSS 5 CWE-20
JSON parsing of external file without schema validation
scripts/random-traders.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.5 CWE-190
BigInt arithmetic without overflow checks in price calculations
scripts/random-traders.ts:169 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-367
Time-of-check to time-of-use (TOCTOU) vulnerability in trade execution
scripts/random-traders.ts:684 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Detailed error messages logged without sanitization
scripts/random-traders.ts:741 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.7 CWE-390
Empty catch blocks silently swallow errors
scripts/random-traders.ts:357 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Resource Exhaustion CVSS 3.3 CWE-835
Infinite loop without exit condition or health checks
scripts/random-traders.ts:653 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Randomness CVSS 2.5 CWE-330
Math.random() used for trading decisions
scripts/random-traders.ts:688 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/random-traders.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/random-traders.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/random-traders.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/random-traders.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File path 'devnet-market.json' is read without validation, potentially allowing path traversal if filename comes from external source
scripts/monitor-soft-burn.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Json Parsing Dos CVSS 3.7 CWE-400
JSON.parse on file content without size limits could cause memory exhaustion with large files
scripts/monitor-soft-burn.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 4.3 CWE-20
PublicKey created from JSON file without validation could throw or create invalid key
scripts/monitor-soft-burn.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.1 CWE-755
Error handling in setInterval only logs message, potentially hiding important error details
scripts/monitor-soft-burn.ts:86 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Bigint Overflow CVSS 2.5 CWE-190
BigInt to Number conversion could lose precision for very large values
scripts/monitor-soft-burn.ts:68 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Endpoint CVSS 2 CWE-798
RPC endpoint URL is hardcoded, limiting flexibility and potentially exposing infrastructure details
scripts/monitor-soft-burn.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/monitor-soft-burn.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Hardcoded file path read without validation could be exploited if file contents are attacker-controlled
scripts/show-lp-contexts.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Sensitive Data Exposure CVSS 3.1 CWE-200
dotenv/config loads environment variables which may contain sensitive RPC credentials
scripts/show-lp-contexts.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 4.3 CWE-20
PublicKey constructed from untrusted JSON file without validation
scripts/show-lp-contexts.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Iterating over usedIndices without bounds checking could cause performance issues with large datasets
scripts/show-lp-contexts.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.1 CWE-209
Generic error handling with console.error may expose sensitive information
scripts/show-lp-contexts.ts:32 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/show-lp-contexts.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'AccountKind' is imported but never used
scripts/show-lp-contexts.ts:4 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Hardcoded file path read without validation could be manipulated if file is symlinked or replaced
scripts/check-params.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure Deserialization CVSS 5.5 CWE-502
JSON.parse on file content without schema validation could lead to unexpected data injection
scripts/check-params.ts:5 Click to copy
Fix Complexity: HIGH
Est. Time: 4-8 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.7 CWE-755
Async main function lacks proper error handling for network and parsing failures
scripts/check-params.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Hardcoded Endpoint CVSS 2 CWE-798
Hardcoded RPC endpoint limits flexibility and could expose devnet usage in production
scripts/check-params.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/check-params.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets Exposure CVSS 7.5 CWE-798
Private key loaded from predictable filesystem path without validation or encryption
scripts/audit-redteam.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Path constructed using process.env.HOME without sanitization could be manipulated
scripts/audit-redteam.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Sensitive Data Logging CVSS 4.3 CWE-532
Financial and account state information logged to console without sanitization
scripts/audit-redteam.ts:142 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4 CWE-209
Generic error catching with potential information disclosure in error messages
scripts/audit-redteam.ts:51 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-362
State read-then-act pattern without atomicity guarantees between getMarketState and subsequent operations
scripts/audit-redteam.ts:243 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insecure File Operations CVSS 4.7 CWE-20
JSON file parsing without schema validation could lead to unexpected behavior
scripts/audit-redteam.ts:25 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Unbounded delay function could be abused if delay parameter is user-controlled
scripts/audit-redteam.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unsafe File Write CVSS 3.1 CWE-367
File write operation without atomic write pattern could result in corrupted data on crash
scripts/audit-redteam.ts:508 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Input Validation CVSS 3.7 CWE-20
Trade function accepts arbitrary size parameter without validation
scripts/audit-redteam.ts:63 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/audit-redteam.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/audit-redteam.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/audit-redteam.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/audit-redteam.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'encodeInitUser' is imported but never used
scripts/audit-redteam.ts:20 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'ACCOUNTS_INIT_USER' is imported but never used
scripts/audit-redteam.ts:21 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Hardcoded file path read without validation could be exploited if file contents are attacker-controlled
scripts/show-lp-owners.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5 CWE-20
JSON parsed configuration values used directly to construct PublicKey without validation
scripts/show-lp-owners.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Sensitive Data Exposure CVSS 3.1 CWE-200
RPC URL potentially containing API keys exposed via environment variable with insecure fallback
scripts/show-lp-owners.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.5 CWE-209
Generic error handling with console.error may leak sensitive information in error messages
scripts/show-lp-owners.ts:38 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/show-lp-owners.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'AccountKind' is imported but never used
scripts/show-lp-owners.ts:4 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
HIGH Hardcoded Credentials Path CVSS 7.5 CWE-798
Hardcoded path to private key file using HOME environment variable
scripts/stress-worst-case.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Reading configuration from relative path without validation
scripts/stress-worst-case.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-755
Swallowing exceptions without proper logging or handling in setOracleAuthority
scripts/stress-worst-case.ts:135 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Oracle Manipulation CVSS 9.1 CWE-284
Oracle price can be arbitrarily set by the payer without any validation or rate limiting
scripts/stress-worst-case.ts:63 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5.9 CWE-400
Unbounded retry loop for cranking without exponential backoff
scripts/stress-worst-case.ts:236 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.3 CWE-362
State can change between reading account indices and using them for deposits
scripts/stress-worst-case.ts:186 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Sensitive Data Exposure CVSS 3.1 CWE-532
Detailed financial state logged to console including positions, capital, and PnL
scripts/stress-worst-case.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 2.5 CWE-190
Division of bigint by 2n could result in precision loss for odd values
scripts/stress-worst-case.ts:215 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/stress-worst-case.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/stress-worst-case.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/stress-worst-case.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/stress-worst-case.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/stress-worst-case.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Credentials Path CVSS 5.5 CWE-798
Hardcoded path to private key file using HOME environment variable
scripts/test-funding-manipulation.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Reading JSON configuration from a relative path without validation
scripts/test-funding-manipulation.ts:29 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.7 CWE-390
Empty catch blocks swallow errors silently, hiding potential security issues
scripts/test-funding-manipulation.ts:188 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 4.3 CWE-754
initUser returns null on failure but caller only logs and continues, potentially leaving system in inconsistent state
scripts/test-funding-manipulation.ts:75 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-362
Using Set difference to detect new account index is susceptible to race conditions if multiple users create accounts simultaneously
scripts/test-funding-manipulation.ts:71 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.1 CWE-400
Fixed delay values without timeout handling could cause indefinite hangs
scripts/test-funding-manipulation.ts:39 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Detailed error output to console could leak sensitive information in production
scripts/test-funding-manipulation.ts:217 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-funding-manipulation.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-funding-manipulation.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-funding-manipulation.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Hardcoded Path Sensitive File CVSS 5.5 CWE-798
Hardcoded path to sensitive private key file with predictable location
scripts/fund-lp.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 4.3 CWE-20
Command line arguments parsed without validation, potentially causing unexpected behavior
scripts/fund-lp.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing File Existence Check CVSS 3.3 CWE-252
File read operations without existence checks could cause crashes with unclear errors
scripts/fund-lp.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 2.5 CWE-755
Transaction errors caught but only logged to console, no recovery or detailed error analysis
scripts/fund-lp.ts:45 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Default Rpc CVSS 2 CWE-1188
Public RPC endpoint used as fallback, which may have rate limits and reliability issues
scripts/fund-lp.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/fund-lp.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/fund-lp.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/fund-lp.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Credentials Path CVSS 7.5 CWE-798
Hardcoded path to Solana keypair file exposes private key location and reads secret key directly from filesystem
scripts/disable-oracle-authority.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
MEDIUM Missing Input Validation CVSS 5.3 CWE-20
JSON file parsing without validation allows malformed or malicious market configuration
scripts/disable-oracle-authority.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
MEDIUM Insufficient Access Control CVSS 5 CWE-862
No verification that the payer has authority to disable the oracle before sending transaction
scripts/disable-oracle-authority.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
LOW Missing Error Handling CVSS 3.7 CWE-755
File read operations lack specific error handling for missing files or permission issues
scripts/disable-oracle-authority.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
LOW Hardcoded Network Endpoint CVSS 2 CWE-1188
Hardcoded devnet RPC endpoint prevents flexible deployment across networks
scripts/disable-oracle-authority.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/disable-oracle-authority.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/disable-oracle-authority.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/disable-oracle-authority.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
HIGH Hardcoded Secrets CVSS 7.5 CWE-798
Private key loaded from predictable file path without validation or encryption
scripts/test-comprehensive.ts:53 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
File path for market configuration read without sanitization
scripts/test-comprehensive.ts:49 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Randomness CVSS 3.7 CWE-330
Using Date.now() for timestamp in oracle price push could be manipulated
scripts/test-comprehensive.ts:100 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5 CWE-400
Unbounded delay function with no timeout protection could hang indefinitely
scripts/test-comprehensive.ts:57 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Error Handling CVSS 4.3 CWE-390
Silent exception swallowing in crankN function hides potential errors
scripts/test-comprehensive.ts:91 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Error Handling CVSS 4.3 CWE-390
Cleanup function silently catches all errors without logging
scripts/test-comprehensive.ts:176 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.9 CWE-190
BigInt arithmetic without overflow checks in price calculations
scripts/test-comprehensive.ts:280 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.3 CWE-362
initUser relies on comparing indices before/after transaction without atomic guarantee
scripts/test-comprehensive.ts:105 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Full error stack traces exposed on failure
scripts/test-comprehensive.ts:608 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Input Validation CVSS 3.7 CWE-20
deposit amount not validated for reasonable bounds before transaction
scripts/test-comprehensive.ts:130 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-comprehensive.ts:44 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-comprehensive.ts:45 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Hardcoded Secrets Path CVSS 7.5 CWE-798
Hardcoded path to private key file with predictable location
scripts/test-binary-market.ts:44 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.3 CWE-918
No validation on SOLANA_RPC_URL environment variable allowing potential SSRF
scripts/test-binary-market.ts:34 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Error Handling CVSS 4.3 CWE-755
Generic error catching with truncated error messages may hide security-relevant information
scripts/test-binary-market.ts:333 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Race Condition CVSS 5.9 CWE-367
Time-of-check to time-of-use (TOCTOU) vulnerability in position checking loop
scripts/test-binary-market.ts:259 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Timestamp Manipulation CVSS 5.4 CWE-367
Using client-side timestamp for settlement price which could be manipulated
scripts/test-binary-market.ts:223 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
Fixed maximum attempts without exponential backoff could lead to premature failure or resource exhaustion
scripts/test-binary-market.ts:257 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Randomness CVSS 3.1 CWE-330
Using Keypair.generate() which uses Math.random() internally - not cryptographically secure for production
scripts/test-binary-market.ts:55 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Verbose error output could expose sensitive transaction details
scripts/test-binary-market.ts:372 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/test-binary-market.ts:39 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/test-binary-market.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../src/solana/pda.js'
scripts/test-binary-market.ts:41 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Sensitive Data Exposure CVSS 7.5 CWE-522
Hardcoded private key file path exposes user credentials location and loads secret key from predictable filesystem location
scripts/admin-free-test.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
MEDIUM Path Traversal CVSS 5.3 CWE-22
Reading market configuration from relative path without validation allows potential path manipulation
scripts/admin-free-test.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
MEDIUM Error Suppression CVSS 4.3 CWE-390
Empty catch block silently swallows errors, hiding potential security-relevant failures
scripts/admin-free-test.ts:68 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
MEDIUM Error Suppression CVSS 4.3 CWE-390
Trade execution errors silently suppressed, could hide critical failures including replay attacks or account manipulation
scripts/admin-free-test.ts:97 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
LOW Denial Of Service CVSS 3.7 CWE-400
Fixed 2-second delay without jitter makes the script predictable and doesn't adapt to RPC rate limits
scripts/admin-free-test.ts:169 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
LOW Insecure Randomness CVSS 2.5 CWE-330
Trade size selection uses predictable modulo-based cycling which could be exploited by observers
scripts/admin-free-test.ts:153 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../src/solana/slab.js'
scripts/admin-free-test.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../src/abi/instructions.js'
scripts/admin-free-test.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../src/abi/accounts.js'
scripts/admin-free-test.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../src/runtime/tx.js'
scripts/admin-free-test.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
buildIx function accepts arbitrary data buffer without validation
src/runtime/tx.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Signer Validation CVSS 5.5 CWE-129
No validation that signers array is non-empty before accessing signers[0]
src/runtime/tx.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error messages may expose internal system details
src/runtime/tx.ts:130 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Compute Unit Validation CVSS 3.7 CWE-20
computeUnitLimit is not validated against Solana's maximum limit
src/runtime/tx.ts:56 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Race Condition CVSS 2.5 CWE-362
Gap between transaction confirmation and log fetching could miss logs
src/runtime/tx.ts:104 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/errors.js'
src/runtime/tx.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'BuildIxParams' is never imported
src/runtime/tx.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'buildIx' is never imported
src/runtime/tx.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'TxResult' is never imported
src/runtime/tx.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'SimulateOrSendParams' is never imported
src/runtime/tx.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'simulateOrSend' is never imported
src/runtime/tx.ts:53 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'formatResult' is never imported
src/runtime/tx.ts:160 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Sensitive Data Exposure CVSS 5.5 CWE-316
Keypair (private key) loaded into memory and stored in context object without explicit security controls
src/runtime/context.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Configuration CVSS 3.7 CWE-345
RPC URL and program ID are loaded from configuration without validation
src/runtime/context.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.1 CWE-755
createContext function lacks error handling for invalid configuration values
src/runtime/context.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/runtime/context.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/wallet.js'
src/runtime/context.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'Context' is never imported
src/runtime/context.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'createContext' is never imported
src/runtime/context.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Path Traversal CVSS 7.5 CWE-22
User-controlled path parameter passed to file system operation without proper validation
src/solana/wallet.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Sensitive Data Exposure CVSS 4.3 CWE-209
Error message exposes resolved file path which could reveal system directory structure
src/solana/wallet.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Keypair array validation only checks length, not value ranges for secret key bytes
src/solana/wallet.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Cryptographic Storage CVSS 3.3 CWE-312
Secret key material is loaded into memory from plaintext JSON file
src/solana/wallet.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/solana/wallet.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'loadKeypair' is never imported
src/solana/wallet.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.3 CWE-190
128-bit integer arithmetic in readI128LE may lose precision when converting between signed/unsigned representations
src/solana/slab.ts:340 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Input Validation CVSS 5 CWE-20
fetchSlab accepts arbitrary PublicKey without validation that it belongs to expected program or has correct discriminator
src/solana/slab.ts:84 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
parseUsedIndices iterates through all 64 bitmap words and all 64 bits unconditionally, potentially slow with large datasets
src/solana/slab.ts:486 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.1 CWE-209
Error messages include raw PublicKey values which could leak information in logs
src/solana/slab.ts:91 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Bounds Check CVSS 4.3 CWE-125
isAccountUsed does not validate buffer length before reading bitmap word
src/solana/slab.ts:504 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Type Confusion CVSS 3.1 CWE-704
AccountKind enum parsing only checks for value 1, treating all other values as User
src/solana/slab.ts:546 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'SlabHeader' is never imported
src/solana/slab.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'MarketConfig' is never imported
src/solana/slab.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'fetchSlab' is never imported
src/solana/slab.ts:76 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'parseHeader' is never imported
src/solana/slab.ts:90 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'parseConfig' is never imported
src/solana/slab.ts:126 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'readNonce' is never imported
src/solana/slab.ts:249 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'readLastThrUpdateSlot' is never imported
src/solana/slab.ts:259 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'InsuranceFund' is never imported
src/solana/slab.ts:370 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'RiskParams' is never imported
src/solana/slab.ts:375 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'EngineState' is never imported
src/solana/slab.ts:391 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'Account' is never imported
src/solana/slab.ts:425 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'parseParams' is never imported
src/solana/slab.ts:473 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'parseEngine' is never imported
src/solana/slab.ts:499 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'parseUsedIndices' is never imported
src/solana/slab.ts:541 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'isAccountUsed' is never imported
src/solana/slab.ts:563 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'maxAccountIndex' is never imported
src/solana/slab.ts:575 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'parseAccount' is never imported
src/solana/slab.ts:584 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'parseAllAccounts' is never imported
src/solana/slab.ts:622 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.3 CWE-190
No validation that lpIdx is within valid UInt16 range (0-65535) before writing to buffer
src/solana/pda.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Input Validation CVSS 3.1 CWE-20
No validation that programId and slab parameters are valid PublicKeys before use
src/solana/pda.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'deriveVaultAuthority' is never imported
src/solana/pda.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'deriveLpPda' is never imported
src/solana/pda.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2.1 CWE-755
Function throws on non-existent account without explicit error handling guidance
src/solana/ata.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Input Validation CVSS 2 CWE-20
No validation that owner and mint are valid, non-zero PublicKeys
src/solana/ata.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'getAta' is never imported
src/solana/ata.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'fetchTokenAccount' is never imported
src/solana/ata.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Regex Dos CVSS 3.1 CWE-1333
Regular expression used on untrusted log data could be susceptible to ReDoS with maliciously crafted input
src/abi/errors.ts:117 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Parsing CVSS 2.5 CWE-190
parseInt without validation could parse extremely large hex values that exceed safe integer bounds
src/abi/errors.ts:118 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'PERCOLATOR_ERRORS' is never imported
src/abi/errors.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'decodeError' is never imported
src/abi/errors.ts:120 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'getErrorName' is never imported
src/abi/errors.ts:127 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'getErrorHint' is never imported
src/abi/errors.ts:134 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'parseErrorFromLogs' is never imported
src/abi/errors.ts:142 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Feed ID validation only checks length, not hex character validity
src/abi/instructions.ts:71 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 4.3 CWE-190
No bounds checking on userIdx which is encoded as u16
src/abi/instructions.ts:131 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Type Confusion CVSS 3.1 CWE-843
Loose type acceptance for bigint parameters allows string inputs without validation
src/abi/instructions.ts:62 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Input Validation CVSS 2.1 CWE-20
Boolean coercion for allowPanic doesn't validate input type
src/abi/instructions.ts:158 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Bounds Validation CVSS 4 CWE-1284
confFilterBps encoded as u16 but no validation on input range
src/abi/instructions.ts:51 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'IX_TAG' is never imported
src/abi/instructions.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'InitMarketArgs' is never imported
src/abi/instructions.ts:49 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeInitMarket' is never imported
src/abi/instructions.ts:85 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'InitUserArgs' is never imported
src/abi/instructions.ts:118 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeInitUser' is never imported
src/abi/instructions.ts:122 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'InitLPArgs' is never imported
src/abi/instructions.ts:129 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeInitLP' is never imported
src/abi/instructions.ts:135 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'DepositCollateralArgs' is never imported
src/abi/instructions.ts:147 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeDepositCollateral' is never imported
src/abi/instructions.ts:152 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'WithdrawCollateralArgs' is never imported
src/abi/instructions.ts:163 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeWithdrawCollateral' is never imported
src/abi/instructions.ts:168 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'KeeperCrankArgs' is never imported
src/abi/instructions.ts:180 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeKeeperCrank' is never imported
src/abi/instructions.ts:185 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'TradeNoCpiArgs' is never imported
src/abi/instructions.ts:196 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeTradeNoCpi' is never imported
src/abi/instructions.ts:202 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'LiquidateAtOracleArgs' is never imported
src/abi/instructions.ts:214 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeLiquidateAtOracle' is never imported
src/abi/instructions.ts:218 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'CloseAccountArgs' is never imported
src/abi/instructions.ts:228 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeCloseAccount' is never imported
src/abi/instructions.ts:232 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'TopUpInsuranceArgs' is never imported
src/abi/instructions.ts:239 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeTopUpInsurance' is never imported
src/abi/instructions.ts:243 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'TradeCpiArgs' is never imported
src/abi/instructions.ts:250 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeTradeCpi' is never imported
src/abi/instructions.ts:256 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'SetRiskThresholdArgs' is never imported
src/abi/instructions.ts:268 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeSetRiskThreshold' is never imported
src/abi/instructions.ts:272 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'UpdateAdminArgs' is never imported
src/abi/instructions.ts:282 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeUpdateAdmin' is never imported
src/abi/instructions.ts:286 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeCloseSlab' is never imported
src/abi/instructions.ts:293 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'UpdateConfigArgs' is never imported
src/abi/instructions.ts:301 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeUpdateConfig' is never imported
src/abi/instructions.ts:319 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'SetMaintenanceFeeArgs' is never imported
src/abi/instructions.ts:341 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeSetMaintenanceFee' is never imported
src/abi/instructions.ts:345 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'SetOracleAuthorityArgs' is never imported
src/abi/instructions.ts:356 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeSetOracleAuthority' is never imported
src/abi/instructions.ts:360 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'PushOraclePriceArgs' is never imported
src/abi/instructions.ts:372 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodePushOraclePrice' is never imported
src/abi/instructions.ts:377 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'SetOraclePriceCapArgs' is never imported
src/abi/instructions.ts:390 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeSetOraclePriceCap' is never imported
src/abi/instructions.ts:394 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeResolveMarket' is never imported
src/abi/instructions.ts:406 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encodeWithdrawInsurance' is never imported
src/abi/instructions.ts:414 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'AccountSpec' is never imported
src/abi/accounts.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_INIT_MARKET' is never imported
src/abi/accounts.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_INIT_USER' is never imported
src/abi/accounts.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_INIT_LP' is never imported
src/abi/accounts.ts:53 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_DEPOSIT_COLLATERAL' is never imported
src/abi/accounts.ts:64 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_WITHDRAW_COLLATERAL' is never imported
src/abi/accounts.ts:76 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_KEEPER_CRANK' is never imported
src/abi/accounts.ts:90 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_TRADE_NOCPI' is never imported
src/abi/accounts.ts:100 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_LIQUIDATE_AT_ORACLE' is never imported
src/abi/accounts.ts:112 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_CLOSE_ACCOUNT' is never imported
src/abi/accounts.ts:122 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_TOPUP_INSURANCE' is never imported
src/abi/accounts.ts:136 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_TRADE_CPI' is never imported
src/abi/accounts.ts:147 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_SET_RISK_THRESHOLD' is never imported
src/abi/accounts.ts:161 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_UPDATE_ADMIN' is never imported
src/abi/accounts.ts:169 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_CLOSE_SLAB' is never imported
src/abi/accounts.ts:177 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_UPDATE_CONFIG' is never imported
src/abi/accounts.ts:185 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_SET_MAINTENANCE_FEE' is never imported
src/abi/accounts.ts:193 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_SET_ORACLE_AUTHORITY' is never imported
src/abi/accounts.ts:202 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_PUSH_ORACLE_PRICE' is never imported
src/abi/accounts.ts:211 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_RESOLVE_MARKET' is never imported
src/abi/accounts.ts:220 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ACCOUNTS_WITHDRAW_INSURANCE' is never imported
src/abi/accounts.ts:229 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'buildAccountMetas' is never imported
src/abi/accounts.ts:246 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'WELL_KNOWN' is never imported
src/abi/accounts.ts:266 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Input Validation CVSS 5.3 CWE-20
encU8 does not validate that input is within valid u8 range (0-255)
src/abi/encode.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Input Validation CVSS 5.3 CWE-20
encU16 does not validate that input is within valid u16 range (0-65535)
src/abi/encode.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Input Validation CVSS 5.3 CWE-20
encU32 does not validate that input is within valid u32 range (0-4294967295)
src/abi/encode.ts:26 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 3.1 CWE-755
encPubkey does not handle invalid base58 strings gracefully
src/abi/encode.ts:84 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Handling CVSS 3.1 CWE-20
BigInt conversion from string does not validate string format
src/abi/encode.ts:34 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encU8' is never imported
src/abi/encode.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encU16' is never imported
src/abi/encode.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encU32' is never imported
src/abi/encode.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encU64' is never imported
src/abi/encode.ts:34 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encI64' is never imported
src/abi/encode.ts:47 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encU128' is never imported
src/abi/encode.ts:61 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encI128' is never imported
src/abi/encode.ts:79 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encPubkey' is never imported
src/abi/encode.ts:103 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'encBool' is never imported
src/abi/encode.ts:111 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Precision Loss CVSS 5.3 CWE-681
Converting BigInt to Number may cause precision loss for large values
src/commands/best-price.ts:111 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Validation CVSS 3.7 CWE-20
Oracle data parsing lacks bounds checking and format validation
src/commands/best-price.ts:42 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Division By Zero CVSS 4.3 CWE-369
Division by oraclePrice without zero check could cause runtime error
src/commands/best-price.ts:122 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Empty Array Reduce CVSS 2.1 CWE-754
Array.reduce on quotes array could fail if array filtering logic changes
src/commands/best-price.ts:92 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2 CWE-200
JSON output exposes internal LP data structure including capital and position sizes
src/commands/best-price.ts:99 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/best-price.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/best-price.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/best-price.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/best-price.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/best-price.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerBestPrice' is never imported
src/commands/best-price.ts:38 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Input Validation CVSS 3.1 CWE-20
Index validation depends on external validateIndex function - ensure it properly bounds-checks the 0-4095 range
src/commands/slab-account.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2 CWE-200
Detailed account information is exposed without authentication verification
src/commands/slab-account.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/slab-account.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/slab-account.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/slab-account.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/slab-account.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/slab-account.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSlabAccount' is never imported
src/commands/slab-account.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.1 CWE-209
No error handling for fetchSlab network operation which could leak sensitive error information
src/commands/slab-config.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Potential Prototype Pollution CVSS 2.5 CWE-1321
JSON.stringify on object with data from external source without sanitization
src/commands/slab-config.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/slab-config.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/slab-config.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/slab-config.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/slab-config.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/slab-config.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSlabConfig' is never imported
src/commands/slab-config.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Input Validation CVSS 5.3 CWE-20
BigInt conversion from user input without validation can throw or produce unexpected values
src/commands/update-config.ts:56 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Authorization Check CVSS 4.3 CWE-862
Admin authorization relies solely on ctx.payer being used as admin account - no client-side verification that payer is authorized
src/commands/update-config.ts:75 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Boundary Validation CVSS 5 CWE-190
threshMax default value of 10^19 and user-provided values lack upper bound validation against potential overflow
src/commands/update-config.ts:60 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Sensitive Operation Logging CVSS 2.1 CWE-532
Configuration values are logged to console after update, which may expose sensitive protocol parameters
src/commands/update-config.ts:91 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/update-config.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/update-config.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/update-config.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/update-config.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/update-config.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/update-config.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerUpdateConfig' is never imported
src/commands/update-config.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
User index validation may not prevent negative values or excessively large numbers that could cause issues in the on-chain program
src/commands/close-account.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Account Ownership Verification CVSS 5 CWE-863
No client-side verification that the user closing the account is actually the owner of the user account at userIdx
src/commands/close-account.ts:33 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Balance Verification CVSS 3.1 CWE-754
No verification that userAta exists or has sufficient rent before attempting to receive withdrawn collateral
src/commands/close-account.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Information Disclosure CVSS 2.5 CWE-209
formatResult may expose internal details in error messages that could aid attackers
src/commands/close-account.ts:64 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/close-account.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/close-account.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/close-account.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/close-account.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/ata.js'
src/commands/close-account.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/pda.js'
src/commands/close-account.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/close-account.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/close-account.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/close-account.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerCloseAccount' is never imported
src/commands/close-account.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.1 CWE-755
No try-catch block around async operations that may fail with network or parsing errors
src/commands/slab-header.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/slab-header.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/slab-header.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/slab-header.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/slab-header.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/slab-header.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSlabHeader' is never imported
src/commands/slab-header.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.1 CWE-200
Detailed market information including internal state exposed via JSON output without access control
src/commands/list-markets.ts:64 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling CVSS 2 CWE-755
Silent fallback on RPC error may mask connectivity or permission issues
src/commands/list-markets.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3 CWE-400
getProgramAccounts can return large datasets causing memory issues or RPC timeouts
src/commands/list-markets.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/list-markets.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/list-markets.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/list-markets.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/list-markets.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'PublicKey' is imported but never used
src/commands/list-markets.ts:2 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Dead Code
Export 'registerListMarkets' is never imported
src/commands/list-markets.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 4.3 CWE-20
Compute unit limit parsed without bounds validation, could allow excessively high values
src/commands/keeper-crank.ts:74 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow Potential CVSS 3.1 CWE-190
callerIdx uses validateIndex but the sentinel value CRANK_NO_CALLER (65535) should be explicitly allowed
src/commands/keeper-crank.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.4 CWE-209
Result formatting may expose sensitive transaction details in error cases
src/commands/keeper-crank.ts:82 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/keeper-crank.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/keeper-crank.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/keeper-crank.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/keeper-crank.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/keeper-crank.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerKeeperCrank' is never imported
src/commands/keeper-crank.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Parsing No Validation CVSS 3.1 CWE-20
Integer parsing with parseInt lacks validation for invalid or malicious input
src/commands/audit-cu.ts:211 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Prototype Pollution Risk CVSS 2 CWE-1321
Direct object property access with user-controlled key could be exploited if instruction name is not validated
src/commands/audit-cu.ts:211 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Log Injection CVSS 3.5 CWE-117
User-controlled instruction name is output to console without sanitization
src/commands/audit-cu.ts:220 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/audit-cu.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/audit-cu.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/audit-cu.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/audit-cu.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'loadConfig' is imported but never used
src/commands/audit-cu.ts:3 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Unused Import
'createContext' is imported but never used
src/commands/audit-cu.ts:4 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Dead Code
Export 'parseCuFromLogs' is never imported
src/commands/audit-cu.ts:41 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'parseCuCheckpoints' is never imported
src/commands/audit-cu.ts:62 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'CuAnalysis' is never imported
src/commands/audit-cu.ts:100 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'analyzeCu' is never imported
src/commands/audit-cu.ts:109 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'formatCuAnalysis' is never imported
src/commands/audit-cu.ts:131 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerAuditCu' is never imported
src/commands/audit-cu.ts:175 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Authorization Check CVSS 5.3 CWE-285
Admin-only operation lacks client-side authorization verification before transaction submission
src/commands/resolve-market.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Oracle Price Validation CVSS 4.3 CWE-754
No client-side validation that oracle price has been set before attempting to resolve market
src/commands/resolve-market.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Market State Validation CVSS 3.1 CWE-754
No validation that the slab account exists and is a valid market before transaction submission
src/commands/resolve-market.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/resolve-market.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/resolve-market.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/resolve-market.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/resolve-market.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/accounts.js'
src/commands/resolve-market.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/resolve-market.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/resolve-market.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerResolveMarket' is never imported
src/commands/resolve-market.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.1 CWE-755
Network fetch operation lacks explicit error handling for connection failures or invalid responses
src/commands/slab-params.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Potential Prototype Pollution CVSS 2.5 CWE-1321
JSON.stringify of params object could potentially expose unexpected properties if parseParams returns polluted object
src/commands/slab-params.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/slab-params.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/slab-params.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/slab-params.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/slab-params.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/slab-params.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSlabParams' is never imported
src/commands/slab-params.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-200
Full account owner addresses and financial data exposed without access control
src/commands/slab-accounts.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Overflow CVSS 2 CWE-190
BigInt accumulation in reduce could theoretically overflow in extreme scenarios
src/commands/slab-accounts.ts:56 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/slab-accounts.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/slab-accounts.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/slab-accounts.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/slab-accounts.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/slab-accounts.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSlabAccounts' is never imported
src/commands/slab-accounts.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
i128 size parameter validation may not prevent overflow or manipulation attacks
src/commands/trade-cpi.ts:46 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Authorization Check CVSS 6.5 CWE-862
LP owner is read from slab data without verifying the caller has authorization to trade on behalf of this LP
src/commands/trade-cpi.ts:53 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error details may be exposed to users through formatResult without sanitization
src/commands/trade-cpi.ts:87 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Replay Protection CVSS 3.7 CWE-352
No nonce or idempotency key to prevent accidental duplicate trade submissions
src/commands/trade-cpi.ts:79 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/trade-cpi.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/trade-cpi.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/trade-cpi.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/trade-cpi.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/pda.js'
src/commands/trade-cpi.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/trade-cpi.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/trade-cpi.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'PublicKey' is imported but never used
src/commands/trade-cpi.ts:2 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Dead Code
Export 'registerTradeCpi' is never imported
src/commands/trade-cpi.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.1 CWE-209
No explicit error handling for fetchSlab network operation which could expose internal error details
src/commands/slab-nonce.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/slab-nonce.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/slab-nonce.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/slab-nonce.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/slab-nonce.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/slab-nonce.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSlabNonce' is never imported
src/commands/slab-nonce.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Amount validation uses validateU128 but the validated value is passed directly as a string without sanitization
src/commands/topup-insurance.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Balance Verification CVSS 3.1 CWE-754
No verification that user's ATA has sufficient balance before attempting transaction
src/commands/topup-insurance.ts:34 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Account Validation CVSS 5.5 CWE-345
No validation that the fetched slab account belongs to the expected program or has valid state
src/commands/topup-insurance.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Information Disclosure CVSS 2.4 CWE-209
Errors from simulateOrSend may expose sensitive internal details through stack traces or raw error messages
src/commands/topup-insurance.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/topup-insurance.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/topup-insurance.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/topup-insurance.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/topup-insurance.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/ata.js'
src/commands/topup-insurance.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/topup-insurance.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/topup-insurance.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/topup-insurance.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerTopupInsurance' is never imported
src/commands/topup-insurance.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Size parameter is validated as i128 but passed directly as string to encodeTradeNoCpi without sanitization
src/commands/trade-nocpi.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Key Management Risk CVSS 5.5 CWE-22
LP wallet keypair loaded from file path provided via command line argument without path validation
src/commands/trade-nocpi.ts:44 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Transaction Verification CVSS 3.7 CWE-754
Transaction result is formatted and displayed without verifying success status before outputting
src/commands/trade-nocpi.ts:68 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.4 CWE-200
Console output may expose sensitive transaction details including public keys and trade parameters
src/commands/trade-nocpi.ts:72 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/trade-nocpi.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/trade-nocpi.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/trade-nocpi.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/wallet.js'
src/commands/trade-nocpi.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/trade-nocpi.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/trade-nocpi.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerTradeNocpi' is never imported
src/commands/trade-nocpi.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Error Handling CVSS 3.1 CWE-755
No try-catch block around async operations that could fail with network errors or invalid data
src/commands/slab-get.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2 CWE-200
Verbose output of on-chain data including admin addresses and configuration details
src/commands/slab-get.ts:47 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/slab-get.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/slab-get.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/slab-get.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/slab-get.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/slab-get.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSlabGet' is never imported
src/commands/slab-get.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Authorization Check CVSS 5.3 CWE-862
Admin-only operation lacks client-side authorization verification before transaction submission
src/commands/set-oracle-authority.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
LOW Missing Input Validation CVSS 2.1 CWE-20
No validation that the new authority differs from current authority
src/commands/set-oracle-authority.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
LOW Error Handling Information Disclosure CVSS 2 CWE-209
Errors from simulateOrSend may expose internal details in stack traces
src/commands/set-oracle-authority.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/set-oracle-authority.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/set-oracle-authority.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/set-oracle-authority.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/set-oracle-authority.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../abi/accounts.js'
src/commands/set-oracle-authority.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/set-oracle-authority.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/set-oracle-authority.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
LOW Dead Code
Export 'registerSetOracleAuthority' is never imported
src/commands/set-oracle-authority.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Authentication System
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
U128 validation result is not used to sanitize the value before passing to encodeSetRiskThreshold
src/commands/set-risk-threshold.ts:26 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Authorization Verification CVSS 4.3 CWE-862
Admin authorization is assumed based on payer key without client-side verification
src/commands/set-risk-threshold.ts:33 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Threshold Bounds Validation CVSS 3.7 CWE-1284
No business logic validation on threshold value range
src/commands/set-risk-threshold.ts:26 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/set-risk-threshold.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/set-risk-threshold.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/set-risk-threshold.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/set-risk-threshold.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/set-risk-threshold.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/set-risk-threshold.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSetRiskThreshold' is never imported
src/commands/set-risk-threshold.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 4.3 CWE-20
parseInt without validation allows negative or NaN values for limit parameter
src/commands/close-all-slabs.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Missing Authorization Check CVSS 7.1 CWE-862
No verification that ctx.payer is authorized to close the slab accounts before attempting transactions
src/commands/close-all-slabs.ts:81 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Denial Of Service CVSS 5.3 CWE-400
getProgramAccounts can return unbounded results, potentially causing memory exhaustion or timeout
src/commands/close-all-slabs.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error messages are truncated but may still expose sensitive information
src/commands/close-all-slabs.ts:99 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Transaction Confirmation CVSS 4.7 CWE-352
No user confirmation before executing potentially destructive batch operations
src/commands/close-all-slabs.ts:75 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/close-all-slabs.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/close-all-slabs.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/close-all-slabs.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/close-all-slabs.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/close-all-slabs.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unused Import
'PublicKey' is imported but never used
src/commands/close-all-slabs.ts:2 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Dead Code
Export 'registerCloseAllSlabs' is never imported
src/commands/close-all-slabs.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Fee input validated as u128 but passed directly as string without sanitization or bounds checking
src/commands/init-user.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Account Ownership Validation CVSS 5.9 CWE-346
Slab account data is fetched and parsed without verifying it belongs to the expected program
src/commands/init-user.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Ata Validation CVSS 3.7 CWE-754
User ATA is derived but not validated to exist before building the transaction
src/commands/init-user.ts:39 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.1 CWE-755
simulateOrSend result is not checked for errors before formatting and displaying
src/commands/init-user.ts:55 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/init-user.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/init-user.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/init-user.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/init-user.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/ata.js'
src/commands/init-user.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/init-user.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/init-user.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/init-user.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerInitUser' is never imported
src/commands/init-user.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
PublicKey constructor accepts user input without validation, potentially causing unhandled exceptions
src/commands/init-market.ts:52 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 5.9 CWE-190
parseInt without range validation for numeric parameters that feed into on-chain program
src/commands/init-market.ts:62 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Validation CVSS 3.7 CWE-20
Feed ID validation only checks format but not semantic validity
src/commands/init-market.ts:56 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
LOW Missing Validation CVSS 3.1 CWE-20
Large u128 string values are passed directly without validation
src/commands/init-market.ts:69 Click to copy
Fix Complexity: LOW
Est. Time: 15-30 minutes
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/init-market.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/init-market.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/init-market.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/pda.js'
src/commands/init-market.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/init-market.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/init-market.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerInitMarket' is never imported
src/commands/init-market.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Amount validation occurs but the raw string value is used directly without sanitization or numeric conversion verification
src/commands/deposit.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Account Validation CVSS 5.9 CWE-345
Slab data is fetched and parsed without verifying the account owner or discriminator before trusting the data
src/commands/deposit.ts:39 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Ata Ownership Verification CVSS 3.7 CWE-754
User ATA is derived but not verified to exist or have correct ownership before building transaction
src/commands/deposit.ts:43 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.1 CWE-755
No try-catch around network calls that could fail, potentially exposing internal errors
src/commands/deposit.ts:39 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/deposit.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/deposit.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/deposit.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/deposit.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/ata.js'
src/commands/deposit.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/deposit.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/deposit.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerDeposit' is never imported
src/commands/deposit.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Authorization Check CVSS 5.3 CWE-863
No client-side verification that ctx.payer is actually authorized as admin for the slab account
src/commands/close-slab.ts:29 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Input Validation CVSS 3.1 CWE-20
No validation that the slab account exists or is of the correct account type before transaction submission
src/commands/close-slab.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/close-slab.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/close-slab.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/close-slab.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/close-slab.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/close-slab.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/close-slab.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerCloseSlab' is never imported
src/commands/close-slab.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-200
Sensitive financial data (vault balances, insurance fund details, liquidation counts) output to console without access control verification
src/commands/slab-engine.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Input Validation CVSS 2.5 CWE-20
Input validation relies on external validatePublicKey function - ensure it properly handles all edge cases
src/commands/slab-engine.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/slab-engine.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/slab-engine.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/slab-engine.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/slab-engine.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/slab-engine.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSlabEngine' is never imported
src/commands/slab-engine.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Amount validation is performed but the raw string value is used directly without conversion or range checking
src/commands/withdraw.ts:37 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Account Ownership Validation CVSS 4.7 CWE-863
User's ATA is derived but not verified to exist or be owned by the user before building transaction
src/commands/withdraw.ts:43 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Slab Account Validation CVSS 5 CWE-345
Slab account data is fetched and parsed without verifying account ownership or discriminator
src/commands/withdraw.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.1 CWE-754
simulateOrSend result is used without checking for errors or partial failures
src/commands/withdraw.ts:66 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/withdraw.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/withdraw.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/withdraw.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/withdraw.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/ata.js'
src/commands/withdraw.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/pda.js'
src/commands/withdraw.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/withdraw.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/withdraw.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerWithdraw' is never imported
src/commands/withdraw.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Authorization Logging CVSS 5.3 CWE-778
Administrative action (transfer of admin rights) lacks audit logging
src/commands/update-admin.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
LOW Missing Confirmation Prompt CVSS 3.3 CWE-356
Destructive administrative action proceeds without user confirmation
src/commands/update-admin.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
MEDIUM Missing New Admin Validation CVSS 4.3 CWE-20
No validation that new admin address is different from current admin or is a valid, non-system address
src/commands/update-admin.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/update-admin.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/update-admin.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/update-admin.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/update-admin.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/update-admin.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/update-admin.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
LOW Dead Code
Export 'registerUpdateAdmin' is never imported
src/commands/update-admin.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Administrative Functions
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Fee parameter validated as U128 but passed directly as string without conversion, potentially allowing overflow or format manipulation
src/commands/init-lp.ts:33 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Balance Verification CVSS 3.1 CWE-754
No verification that user ATA has sufficient balance before transaction submission
src/commands/init-lp.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Ata Existence Check CVSS 3.1 CWE-754
getAta returns derived address without verifying the account exists on-chain
src/commands/init-lp.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.4 CWE-209
formatResult may expose sensitive transaction details in error cases
src/commands/init-lp.ts:64 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/init-lp.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/init-lp.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/init-lp.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/init-lp.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/ata.js'
src/commands/init-lp.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/init-lp.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/init-lp.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/init-lp.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerInitLp' is never imported
src/commands/init-lp.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
HIGH Insufficient Authorization Check CVSS 7.5 CWE-862
No verification that the caller is authorized to perform liquidation or that the target account is actually undercollateralized before submitting the transaction
src/commands/liquidate-at-oracle.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Oracle Manipulation Risk CVSS 6.5 CWE-20
Oracle account is user-supplied without validation that it's an authorized/trusted oracle for this market
src/commands/liquidate-at-oracle.ts:29 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Slab Ownership Validation CVSS 5.3 CWE-345
No validation that the slab account is owned by the expected program or is a valid slab account type
src/commands/liquidate-at-oracle.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Error Handling CVSS 3.1 CWE-755
No try-catch wrapper around the transaction simulation/send operation to handle and report errors gracefully
src/commands/liquidate-at-oracle.ts:50 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/liquidate-at-oracle.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/liquidate-at-oracle.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/liquidate-at-oracle.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/liquidate-at-oracle.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/liquidate-at-oracle.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/liquidate-at-oracle.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerLiquidateAtOracle' is never imported
src/commands/liquidate-at-oracle.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Authorization Validation CVSS 5.3 CWE-285
Admin-only operation relies solely on on-chain program validation without client-side pre-checks
src/commands/withdraw-insurance.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Missing Market State Validation CVSS 4.3 CWE-754
No validation that market is actually resolved before attempting withdrawal
src/commands/withdraw-insurance.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Error Handling Gap CVSS 3.1 CWE-209
fetchSlab and parseConfig failures could expose internal error details
src/commands/withdraw-insurance.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Balance Validation CVSS 2.7 CWE-754
No validation that insurance fund has balance before attempting withdrawal
src/commands/withdraw-insurance.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/withdraw-insurance.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/withdraw-insurance.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/withdraw-insurance.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/withdraw-insurance.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/accounts.js'
src/commands/withdraw-insurance.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/withdraw-insurance.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/withdraw-insurance.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/withdraw-insurance.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/pda.js'
src/commands/withdraw-insurance.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerWithdrawInsurance' is never imported
src/commands/withdraw-insurance.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Insufficient Input Validation CVSS 5.3 CWE-20
Price input lacks range validation allowing arbitrary values that could manipulate oracle pricing
src/commands/push-oracle-price.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Integer Overflow CVSS 4.3 CWE-190
BigInt conversion from string input without validation could throw unhandled exceptions
src/commands/push-oracle-price.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Timestamp Manipulation CVSS 3.7 CWE-20
Timestamp can be set to arbitrary values including past or far future dates
src/commands/push-oracle-price.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Confirmation CVSS 2.4 CWE-352
Privileged oracle operation lacks confirmation prompt before execution
src/commands/push-oracle-price.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/push-oracle-price.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/push-oracle-price.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/push-oracle-price.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/instructions.js'
src/commands/push-oracle-price.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../abi/accounts.js'
src/commands/push-oracle-price.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/tx.js'
src/commands/push-oracle-price.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/push-oracle-price.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerPushOraclePrice' is never imported
src/commands/push-oracle-price.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insufficient Input Validation CVSS 3.1 CWE-20
Public key validation relies on external function without visibility into error handling
src/commands/slab-bitmap.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Unhandled Promise Rejection CVSS 2.5 CWE-755
Async operation fetchSlab may throw network errors without explicit handling
src/commands/slab-bitmap.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../cli.js'
src/commands/slab-bitmap.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../config.js'
src/commands/slab-bitmap.ts:3 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../runtime/context.js'
src/commands/slab-bitmap.ts:4 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../solana/slab.js'
src/commands/slab-bitmap.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module '../validation.js'
src/commands/slab-bitmap.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'registerSlabBitmap' is never imported
src/commands/slab-bitmap.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
User input is echoed back in error messages without sanitization
src/validation.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Denial Of Service CVSS 3.7 CWE-400
BigInt parsing of extremely large strings could cause performance issues
src/validation.ts:67 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Integer Handling CVSS 2.5 CWE-704
parseInt may produce unexpected results with certain inputs like '123abc' (returns 123)
src/validation.ts:48 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'ValidationError' is never imported
src/validation.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'validatePublicKey' is never imported
src/validation.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'validateIndex' is never imported
src/validation.ts:45 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'validateAmount' is never imported
src/validation.ts:65 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'validateU128' is never imported
src/validation.ts:90 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'validateI64' is never imported
src/validation.ts:115 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'validateI128' is never imported
src/validation.ts:143 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'validateBps' is never imported
src/validation.ts:171 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'validateU64' is never imported
src/validation.ts:191 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'validateU16' is never imported
src/validation.ts:198 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Input Validation CVSS 4.3 CWE-20
No validation on commitment level option - accepts any string value
src/cli.ts:51 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Config and wallet path options accept arbitrary file paths without validation
src/cli.ts:46 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-200
RPC URL option could leak sensitive information if custom RPC endpoints include API keys in URL
src/cli.ts:47 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Missing Input Validation CVSS 3.1 CWE-20
Program ID option accepts any string without validating it's a valid Solana public key format
src/cli.ts:48 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './config.js'
src/cli.ts:2 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/init-market.js'
src/cli.ts:5 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/init-user.js'
src/cli.ts:6 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/init-lp.js'
src/cli.ts:7 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/deposit.js'
src/cli.ts:8 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/withdraw.js'
src/cli.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/keeper-crank.js'
src/cli.ts:10 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/trade-nocpi.js'
src/cli.ts:11 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/trade-cpi.js'
src/cli.ts:12 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/liquidate-at-oracle.js'
src/cli.ts:13 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/close-account.js'
src/cli.ts:14 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/topup-insurance.js'
src/cli.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/set-risk-threshold.js'
src/cli.ts:16 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/update-admin.js'
src/cli.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/close-slab.js'
src/cli.ts:18 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/close-all-slabs.js'
src/cli.ts:19 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/list-markets.js'
src/cli.ts:20 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/slab-get.js'
src/cli.ts:21 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/slab-header.js'
src/cli.ts:22 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/slab-config.js'
src/cli.ts:23 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/slab-nonce.js'
src/cli.ts:24 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/slab-engine.js'
src/cli.ts:25 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/slab-params.js'
src/cli.ts:26 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/slab-account.js'
src/cli.ts:27 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/slab-accounts.js'
src/cli.ts:28 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/slab-bitmap.js'
src/cli.ts:29 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/audit-cu.js'
src/cli.ts:30 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/best-price.js'
src/cli.ts:31 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/update-config.js'
src/cli.ts:32 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/set-oracle-authority.js'
src/cli.ts:33 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/push-oracle-price.js'
src/cli.ts:34 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/resolve-market.js'
src/cli.ts:35 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './commands/withdraw-insurance.js'
src/cli.ts:36 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'createCli' is never imported
src/cli.ts:38 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'getGlobalFlags' is never imported
src/cli.ts:101 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 2.1 CWE-209
Error message directly exposed to console output without sanitization
src/index.ts:9 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
CRITICAL Broken Reference
Cannot find module './cli.js'
src/index.ts:1 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
MEDIUM Path Traversal CVSS 5.3 CWE-22
Config file path from user input (flags.config) is used without proper validation, allowing path traversal attacks
src/config.ts:40 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Information Disclosure CVSS 3.1 CWE-209
Error message exposes internal file path and potentially sensitive error details
src/config.ts:46 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Insecure Default CVSS 3.7 CWE-1188
Default wallet path uses predictable location (~/.config/solana/id.json) which may contain production keys
src/config.ts:53 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Environment Variable Injection CVSS 2.9 CWE-426
HOME/USERPROFILE environment variables used without validation could be manipulated in certain scenarios
src/config.ts:74 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'Config' is never imported
src/config.ts:15 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'GlobalFlags' is never imported
src/config.ts:17 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'loadConfig' is never imported
src/config.ts:32 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core
LOW Dead Code
Export 'expandPath' is never imported
src/config.ts:75 Click to copy
Fix Complexity: MEDIUM
Est. Time: 1-3 hours
Affected: Application Core

Audit Methodology

Scope

This security audit encompassed a comprehensive analysis of the entire codebase, including:

  • Static code analysis for security vulnerabilities
  • Dependency and import validation
  • Authentication and authorization mechanisms
  • Input validation and sanitization
  • Cryptographic implementations
  • Session management and cookie security
  • Error handling and information disclosure
  • Access control enforcement

Testing Approach

  • Automated Scanning: Advanced static analysis tools to identify common vulnerabilities
  • Manual Code Review: Expert analysis of critical security components
  • Pattern Matching: Detection of known insecure coding patterns
  • Dataflow Analysis: Tracing user input through the application
  • Compliance Checking: Verification against industry standards (OWASP, NIST, CWE)

Standards & Frameworks

  • OWASP Top 10 2021: Industry-standard web application security risks
  • CWE Top 25: Most dangerous software weaknesses
  • NIST 800-53: Security and privacy controls
  • CVSS 3.1: Common Vulnerability Scoring System
  • PCI-DSS: Payment Card Industry Data Security Standard